Due to the popularity of Windows 2008 Server Core I have seen frequently questions about how to configure SSL on IIS7 with only command-line. Since I wandered that path few months back I thought of putting this article/guide together.

There are 3 simple steps involved

1. Importing the Certificate into relevant Certificate Store

If you have a .CER file  
certutil –addstore MY test-cert.cer 

OR

If you have .PFX file
certutil -importpfx <filename.pfx>

OR

Create and Import test certificate using MakeCert.EXE (which comes with Visual Studio SDK Tools)
makecert -r -pe -n "CN=sukhyper-v" -b 01/01/2008 -e 01/01/2010 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

2. Configure SSL with HTTP.SYS (command below should be entered on a single line)

netsh http add sslcert ipport=0.0.0.0:443 certstorename=MY certhash=b63293e9c24f7fda4c671beac4a0eff29e0d3b52
appid={5a599f4f-02dc-4120-8646-74fcbc5b4827}

appid can be any unique GUID but I used ‘Key Container’ value of the certificate for ease of use!

Output of certutil –store MY ================ Certificate 1 ================ Serial Number: ab171a1627a592964d358ec9736da78a Issuer: CN=sukhyper-v NotBefore: 1/1/2008 12:00 AM NotAfter: 1/1/2010 12:00 AM Subject: CN=sukhyper-v Signature matches Public Key Root Certificate: Subject matches Issuer Cert Hash(sha1): b6 32 93 e9 c2 4f 7f da 4c 67 1b ea c4 a0 ef f2 9e 0d 3b 52   Key Container = 5a599f4f-02dc-4120-8646-74fcbc5b4827   Unique container name: ec4840c8098979e9cc0eb699ef979eaf_931d1088-a4b3-4332-b918-8d75ab3e674e   Provider = Microsoft RSA SChannel Cryptographic Provider Encryption test passed

3. Add HTTPS binding on the website using this certificate

appcmd set site “Default Web Site” /+bindings.[protocol=’https’, bindingInformation=’*:443:’]

Other related commands
Enforce SSL for the site with 128bit
appcmd set config "Default Web Site" -section:access -sslFlags:Ssl,Ssl128 -commit:apphost

Add SSL Binding in IIS
appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']

Remove SSL Binding in IIS
appcmd set site "Default Web Site" /-bindings.[protocol='https',bindingInformation='*:443:']

Show Certificate endpoint from HTTP.SYS
netsh http show sslcert

Delete Certificate endpoint from HTTP.SYS
netsh http delete sslcert ipport=0.0.0.0:443

View Certificate Store
certutil -store  MY

View Certificate Store with UI
certutil -viewstore  MY

IIS7 Mobile Admin is a simple web application to administer IIS7 remotely using a mobile phone browser.  I provided few screenshots of IIS7 Mobile Admin in my previous blog post here http://www.awesomeideas.net/post/2008/03/04/IIS7-Mobile-Admin.aspx

And I promised to get it on codeplex for your download pleasure and finally it's ready and available here

Project Home (Screenshots,FAQ) - http://www.awesomeideas.net/page/IIS7-Mobile-Admin.aspx
Download & Discussion - http://www.codeplex.com/iis7mobileadmin/

What are the features available in this release (called R1)?
Search Application Pools & Web Sites

• Application Pool
  • Show Requests (Top 10 requests sorted in descending order of 'Time Elapsed')
  • Show Applications
  • Recycle Application Pool
  • TODO:Your wishes...
• Web Sites
  • Show Configuration (Show all bindings for the website)
  • Start Website
  • Stop Website
  • TODO:Your wishes

Get more screenshots on Project Home http://www.awesomeideas.net/page/IIS7-Mobile-Admin.aspx

I've been thinking about this pet project for sometime. But due to some unforeseen circumstances (just heavy words for laziness) I could not get this ready before.
I'm getting it out of my hard disk now to show some love towards our Web Server Admins who keep our Web 2.0 world running !

IIS7 Mobile Admin is a mobile administration application to manage IIS7 remotely using the Web Browser on your mobile phone.

Ingredients

• IIS7 Hostable Web Core running inside a custom windows service written in C++
  Read about the service here http://www.awesomeideas.net/page/IIS7-Hostable-WebCore.aspx
  [ You can also use IIS7 website to host it and make sure you isolate into a different application pool ]
• ASP.NET based Website designed for use on browser of a cell phone using LINQ + IIS7 managed API (Microsoft.Web.Administration)

Currently version of this application is in no way a complete replacement for desktop version of IIS Manager (it might become later if I see enough interest ).

So lets talk about the scenario in which this could be extremely helpful.
Assume that you are a webserver admin and you have a lot of websites running on the server you manage. It's Christmas time and you are having a wonderful time with your family. You cell phone rings and on the other side is your customer screaming since their e-commerce website where people are shopping for Christmas is down.

In such scenarios you would have to reach for your computer, connect to the server through VPN and restart the application pool so that the site is back running atleast as a quick fix for Christmas. Now in this scenario if you are not at home or you cannot reach your computer you might've to drive to office to just recycle the application pool for the website.

You don't need to run to office or even reach your computer anymore with "IIS7 Mobile Admin" you can do this and more from your Internet connected Cell Phone.

Here is a screenshot of how it looks like on Pocket IE in full-screen mode

Since I don't want to complicate things too much and to reduce security related issues, I would try not to provide security sensitive features in this UI.

What is "must have" for this application, it's up to you to tell me through the comments below.

Once I get enough feedback I'll finish up and get this on http://www.codeplex.com for you to download application & code for free.

I had reported an issue which happens after installing MS07-045 IE security update.
"After installing MS07-045 Cumulative Security Update for Internet Explorer - CreateObject call fails with 8000ffff "

We have a hotfix available for the same and it's KB 945701. KB is not yet available (as of today) and it might take a while to be public.

If you are struggling with this issue you can call PSS and request for the hotfix. It should be publically available during next IE patch schedule.

Here is another featured moved to kernel mode. Yea it's Windows Authentication which is by default configured to run in kernel mode.

To see the dialog right click on "Windows Authentication" and select "Advanced Settings..."

This applies to Windows 2008 build and not Vista RTM.

There are so many things which has changed in IIS7 for the better and one of them is about the way SSL works. Although IIS6 allowed kernel mode SSL (starting with Windows 2003 SP1) that wasn't the default option. As far as I know (AFAIK) not many customers used it or knew about it.

Starting with IIS7 kernel mode SSL is going to be the default setting and the only setting. This was primarily for performance reasons. So let us see how it differs.

IIS6 SSL request/response flow

IIS7 SSL request/response flow

You know that context switching between kernel mode and user mode is expensive and this new design of how SSL processing is done inside kernel mode increases performance on IIS7.

IIS7 Rocks!!!

We have noticed an issue of CreateObject call failure after installing MS07-045 IE update. This issues goes away if you uninstall the patch.  As per the information available it's happening only when .NET managed component (using interop) is called from an ASP page.

Error shown in the browser looks like below

Server object error 'ASP 0177 : 8000ffff'
Server.CreateObject Failed
/hellocom.asp, line 2
8000ffff

Repro steps given below

• Install MS07-045 security patch
• Create a .NET managed component (helloworld.dll)
• Make it COM visible and register it using "regasm helloworld.dll /codebase"
• Create an ASP page (inside your website folder) which calls this component using CreateObject (hellocom.asp)
• The page fails with the error mentioned above

For repro and testing I'm attaching following repro files

• helloworld.dll (managed component)
• hellocom.asp (which uses the above component using CreateObject call)

Code inside helloworld.dll

using System;
using System.Collections.Generic;
using System.Text;

public class HelloWorldClass
{
    public HelloWorldClass()
    {}

    public String SayHello()
    {
     return "Hello World";
    }
}

Code inside hellocom.asp

In my repro I get access denied for these registry keys for IUSR account

Till an official update is available on this issue, please run regmon and fix the permission issues shown in the logs. Please give permission to only the user account shown in regmon logs and not for everyone group since it would increase security risk.

For testing if the permission requirement is only for IUSR account, add IUSR account to administrators group and test. In my case it works and confirms that it's missing permission only for IUSR. This step is for only for testing and needs to be reverted immediately.

Uninstalling this patch is not recommended since it's a security update.

Although the title says webserver certificates the script is not limited to webserver certificates only.

This script is useful for admins to check expiry dates of server certificates and be prepared to renew or change them. In case if you have ideas of using this in your server environment and you need help in tweaking this script do let me know.

Please copy & paste script below into a file called "CertExpiryCheck.vbs" and run the script from command line like

C:\> cscript certexpirycheck.vbs [SubjectName]

C:\> cscript certexpirycheck.vbs sukak

* here "sukak" is subject name which usually would be your domain name (FQDN)
* Issued by also shows "sukak" in my case since the test was done using self issued certificate created using selfSSL.exe

'**************************************************
'* CertExpiryCheck.vbs
'* Enumerate certificates with day left for expiry 
'**************************************************

Option Explicit
Dim SubjectName
If WScript.Arguments.Count > 0 Then
    SubjectName = LCase(WScript.Arguments(0))
Else
    CommandUsage
End If

Dim Store, Certificates, Certificate
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1        
Const CAPICOM_STORE_OPEN_READ_ONLY = 0

Set Store = CreateObject("CAPICOM.Store")
Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
Set Certificates = Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName, 0)

If Certificates.Count >0 Then
   For Each Certificate in Certificates
    'Certificate.display()    'If you want to see the Cert in UI
    WScript.Echo "*** Subject " & Certificate.SubjectName & " ***"
    WScript.Echo "Issued by " & Certificate.IssuerName 
    WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " & Certificate.ValidToDate 
    WScript.Echo "Days to expiry " & DateDiff("d",now(),Certificate.ValidToDate)
    WScript.Echo 
   Next
 Else
  WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
End If

Set Certificates = Nothing
Set Store = Nothing

Sub CommandUsage
  MsgBox "Usage: CertExpiryCheck.vbs  [SubjectName] ", vbInformation,"CertExpiryCheck"
  WScript.Quit(1)
End Sub

Just keep in mind you need capicom.dll to use this script. This comes default on Windows 2003 (I guess) but might need to be downloaded and registered on other platforms like Vista. Use regsvr32 capicom.dll to register it first before using the script.

Recently I stumbled upon a discussion on facial recognition and creating models from them. Came to know that MSN China had lunched a service called "MSN Cartoon Beta".
Chinese is like French to me; I know neither :)

But I thought it would be an awesome feature to have for all Windows Live Services so tried my predict & clicking skills to get it working!
The following video demonstrates how to use the web based page to create MSN Cartoon without learning Chinese :)

Before beginning with the application there is a small web based install which pops-up but you know which buttons to click if you have used Windows for long enough!
The last button click on the page gives you a zip file containing the newly created smiley's for all  your cool expressions... Now stop reading and check the video and the site ;)

URL => http://cartoon.msn.com.cn/ 

If there is enough demand for audio commentary I will add voice to explain the different buttons and it's options.

Assume that you have a lot of contacts on Live Messenger which you would like to use in different applications provided in Vista.  By default you won't have direct access to contact due to security settings (encryption) to protect that information.

There is an easy tweak/option to enable this information.

In Windows Live Messenger go to
Tools -> Options -> Security (Uncheck the box shown below)

Now check your "C:\users\<login Name>\Contacts" folder, you will find a folder with your Live ID name and all your Messenger contacts inside that folder...