IIS7 add certificate to site from command line

windows iis iis-7 ssl ssl-certificate
13,250

To call out the bits, this is different from IIS6 and earlier. In IIS 6, the metabase contained the socket, the certificate hash associated with the socket, and so on. In 7, the IIS config just contains a socket (a.b.c.d:443) and lets the OS worry about the certificate management stuff on that socket. (Through the GUI, it's designed to look roughly how it used to). The rule is: you can only have one certificate bound to one socket.

IIS:

In IIS 7, IIS doesn't actually care about the certificate binding. I know, like, gasp, right?

In IIS7, all the IIS configuration does is tie IIS to a specific socket (IP + port). That's it. Makes the configuration much more portable between boxes when you don't need to uniquify the certificate hash on each one.

IIS config is managed using APPCMD or {insert IIS 7 management tool of choice here}, by creating a binding for the site to a socket.

OS:

The OS layer takes over control of the SSL part, so you use NETSH to associate a certificate with a particular socket.

This is done through NETSH.

Sukesh posted a guide to both bits a long time ago, and it's still valid: https://stackoverflow.com/questions/591597/how-to-assign-a-ssl-certificate-to-iis7-site-from-command-prompt

Share:
13,250

Related videos on Youtube

Ken
Author by

Ken

Updated on September 18, 2022

Comments

  • Ken
    Ken over 1 year

    I've found through APPCMD that most of IIS7 configuration is possible through the command line. One thing I've not figured out how to do yet: in IIS Manager, Bindings -> Edit -> pick an SSL Certificate.

    "appcmd set site /site.name:foo /?" lists 2 keys that start with "bindings" ("protocol", "bindingInformation") but I haven't found out what they are.

    Some other place suggested that "netsh" could do this, but "netsh http show sslcert" shows my certificate as bound to "0.0.0.0:443" and not to particular IIS7 sites.

    Given that I know the IIS7 name/ID of a site, and the hash of my certificate (which is already the cert on other sites here), is there any way to make it the SSL cert for another IIS7 site, from the command line?

    UPDATE: I did this in the UI, and diff'd the registry, and see that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 (also in ControlSet0001) is created with my SslCertHash, and an AppId that looks just like the UUID that "netsh http show sslcert" prints but with each section reversed (81e1c34d4be121...). I think I read that this is the AppId for IIS apps, but I'm not sure. It doesn't change in the registry when I delete the Site in IIS Manager and switch to another Site with this SSL cert. Anyway, this looks like the same level of granularity that netsh provides, so I really don't know where IIS Manager gets its per-Site bindings SSL cert assignment.

  • Ken
    Ken about 13 years
    I saw that SO Q and the Sukesh guide in my searching, but I can't get it to work, and don't understand how it would. I get why IIS7 (I don't know anything about IIS6) would do certs in the OS and not in IIS, but IIS Manager (the GUI) lets me set certs per "SITE", and new sites created by Sukesh's method don't have any cert set (and hence just give an error). I've got other (stopped) sites in IIS also on port 443 that have a cert -- where is the site-cert association stored?
  • Ov's Pianist
    Ov's Pianist about 13 years
    The site isn't bound to a cert, it's bound to HTTPS on a particular socket. The cert used by that socket is a detail managed by HTTP.SYS, via NETSH. So something like appcmd set site "My Own Web Site" /-bindings.[protocol='https',bindingInformation='192.168.0.1‌​6:443:'] assuming you've already bound the certificate to that IP:port with NetSH. The netsh command corresponding with that would be netsh add sslcert ipport=192.168.0.16:443 certstorename=my blah blah etc. Make sense?
  • Ken
    Ken about 13 years
    TristanK: It makes perfect sense that it should work that way, but I don't understand why IIS Manager lets you edit SSL certificates at the Site level then. Is that part of the IIS UI just completely misleading? Does editing the SSL cert in IIS change it for all websites on that port? (I was sure I'd seen it not do that, but today it seems to, and I'm all confused.)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I import certificate (.CER) in IIS
Exporting SSL Cert private keys in IIS 7.0
How to install a single SSL certificate for www and non-www
Old ssl cert still showing up in browser after installing new
HTTPS not working; binding set, certificate installed
Import .pem into IIS 7
How to assign a SSL Certificate to IIS7 Site from Command Prompt
How to create a self-signed certificate for a domain name for development on Windows 10 and below?
CRYPT_E_NOT_FOUND when importing certificate
How to enable TLS1.2 on IIS7 Windows Server 2008 R2