Due to the popularity of Windows 2008 Server Core I have seen frequently questions about how to configure SSL on IIS7 with only command-line. Since I wandered that path few months back I thought of putting this article/guide together.

There are 3 simple steps involved

1. Importing the Certificate into relevant Certificate Store

If you have a .CER file  
certutil –addstore MY test-cert.cer 

OR

If you have .PFX file
certutil -importpfx <filename.pfx>

OR

Create and Import test certificate using MakeCert.EXE (which comes with Visual Studio SDK Tools)
makecert -r -pe -n "CN=sukhyper-v" -b 01/01/2008 -e 01/01/2010 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

2. Configure SSL with HTTP.SYS (command below should be entered on a single line)

netsh http add sslcert ipport=0.0.0.0:443 certstorename=MY certhash=b63293e9c24f7fda4c671beac4a0eff29e0d3b52
appid={5a599f4f-02dc-4120-8646-74fcbc5b4827}

appid can be any unique GUID but I used ‘Key Container’ value of the certificate for ease of use!

Output of certutil –store MY ================ Certificate 1 ================ Serial Number: ab171a1627a592964d358ec9736da78a Issuer: CN=sukhyper-v NotBefore: 1/1/2008 12:00 AM NotAfter: 1/1/2010 12:00 AM Subject: CN=sukhyper-v Signature matches Public Key Root Certificate: Subject matches Issuer Cert Hash(sha1): b6 32 93 e9 c2 4f 7f da 4c 67 1b ea c4 a0 ef f2 9e 0d 3b 52   Key Container = 5a599f4f-02dc-4120-8646-74fcbc5b4827   Unique container name: ec4840c8098979e9cc0eb699ef979eaf_931d1088-a4b3-4332-b918-8d75ab3e674e   Provider = Microsoft RSA SChannel Cryptographic Provider Encryption test passed

3. Add HTTPS binding on the website using this certificate

appcmd set site “Default Web Site” /+bindings.[protocol=’https’, bindingInformation=’*:443:’]

Other related commands
Enforce SSL for the site with 128bit
appcmd set config "Default Web Site" -section:access -sslFlags:Ssl,Ssl128 -commit:apphost

Add SSL Binding in IIS
appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']

Remove SSL Binding in IIS
appcmd set site "Default Web Site" /-bindings.[protocol='https',bindingInformation='*:443:']

Show Certificate endpoint from HTTP.SYS
netsh http show sslcert

Delete Certificate endpoint from HTTP.SYS
netsh http delete sslcert ipport=0.0.0.0:443

View Certificate Store
certutil -store  MY

View Certificate Store with UI
certutil -viewstore  MY

IIS7 Mobile Admin is a simple web application to administer IIS7 remotely using a mobile phone browser.  I provided few screenshots of IIS7 Mobile Admin in my previous blog post here http://www.awesomeideas.net/post/2008/03/04/IIS7-Mobile-Admin.aspx

And I promised to get it on codeplex for your download pleasure and finally it's ready and available here

Project Home (Screenshots,FAQ) - http://www.awesomeideas.net/page/IIS7-Mobile-Admin.aspx
Download & Discussion - http://www.codeplex.com/iis7mobileadmin/

What are the features available in this release (called R1)?
Search Application Pools & Web Sites

• Application Pool
  • Show Requests (Top 10 requests sorted in descending order of 'Time Elapsed')
  • Show Applications
  • Recycle Application Pool
  • TODO:Your wishes...
• Web Sites
  • Show Configuration (Show all bindings for the website)
  • Start Website
  • Stop Website
  • TODO:Your wishes

Get more screenshots on Project Home http://www.awesomeideas.net/page/IIS7-Mobile-Admin.aspx

I've been thinking about this pet project for sometime. But due to some unforeseen circumstances (just heavy words for laziness) I could not get this ready before.
I'm getting it out of my hard disk now to show some love towards our Web Server Admins who keep our Web 2.0 world running !

IIS7 Mobile Admin is a mobile administration application to manage IIS7 remotely using the Web Browser on your mobile phone.

Ingredients

• IIS7 Hostable Web Core running inside a custom windows service written in C++
  Read about the service here http://www.awesomeideas.net/page/IIS7-Hostable-WebCore.aspx
  [ You can also use IIS7 website to host it and make sure you isolate into a different application pool ]
• ASP.NET based Website designed for use on browser of a cell phone using LINQ + IIS7 managed API (Microsoft.Web.Administration)

Currently version of this application is in no way a complete replacement for desktop version of IIS Manager (it might become later if I see enough interest ).

So lets talk about the scenario in which this could be extremely helpful.
Assume that you are a webserver admin and you have a lot of websites running on the server you manage. It's Christmas time and you are having a wonderful time with your family. You cell phone rings and on the other side is your customer screaming since their e-commerce website where people are shopping for Christmas is down.

In such scenarios you would have to reach for your computer, connect to the server through VPN and restart the application pool so that the site is back running atleast as a quick fix for Christmas. Now in this scenario if you are not at home or you cannot reach your computer you might've to drive to office to just recycle the application pool for the website.

You don't need to run to office or even reach your computer anymore with "IIS7 Mobile Admin" you can do this and more from your Internet connected Cell Phone.

Here is a screenshot of how it looks like on Pocket IE in full-screen mode

Since I don't want to complicate things too much and to reduce security related issues, I would try not to provide security sensitive features in this UI.

What is "must have" for this application, it's up to you to tell me through the comments below.

Once I get enough feedback I'll finish up and get this on http://www.codeplex.com for you to download application & code for free.

Here is another featured moved to kernel mode. Yea it's Windows Authentication which is by default configured to run in kernel mode.

To see the dialog right click on "Windows Authentication" and select "Advanced Settings..."

This applies to Windows 2008 build and not Vista RTM.

There are so many things which has changed in IIS7 for the better and one of them is about the way SSL works. Although IIS6 allowed kernel mode SSL (starting with Windows 2003 SP1) that wasn't the default option. As far as I know (AFAIK) not many customers used it or knew about it.

Starting with IIS7 kernel mode SSL is going to be the default setting and the only setting. This was primarily for performance reasons. So let us see how it differs.

IIS6 SSL request/response flow

IIS7 SSL request/response flow

You know that context switching between kernel mode and user mode is expensive and this new design of how SSL processing is done inside kernel mode increases performance on IIS7.

IIS7 Rocks!!!

I had written a sample to redirect all http traffic to https (secure) in September 2006 http://blogs.msdn.com/sukeshak/archive/2006/09/03/http2https.aspx

In one of our internal discussion alias the question came up that this method does not work when SSL is forced on the website. Step 5 below handles that scenario by checking the "403.4 SSL required" response and handling it during OnEndRequest event.

So let us get into action (I'm using C# for this sample)

1. Download and Install IIS7 Managed Module Starter Kit
   (Not really a requirement but it would make developing IIS7 modules easier)
2. Rename the default class name created to "redir.cs" and rename project/solution/namespace to "http2https"
3. Add the following code in "Init" method
   

   // register for the BeginRequest event
   application.BeginRequest += new EventHandler(OnBeginRequest); 
   application.EndRequest += new EventHandler(OnEndRequest);

4. Add the following method to implement "BeginRequest" event
   

   //BeginRequest implementation
   public void OnBeginRequest(Object sender, EventArgs e)
   {
   HttpApplication app = (HttpApplication)sender;
   string HttpUrl = app.Request.Url.ToString(); 
   
      if (HttpUrl.StartsWith("http:"))                           //Redirection done only if URL starts with http:
      {
      HttpUrl = HttpUrl.Replace("http:", "https:");
      app.Response.Redirect(HttpUrl.ToString(), true);           //Redirecting (http 302) to the same URL but with https
      app.Response.End();                                        //We don't want to go any further so end
      }
   } 
   

5. Add the following method to implement "OnEndRequest" event

   //This is for scenario where SSL is forced on the site
   public void OnEndRequest(Object sender, EventArgs e)
   {
     HttpApplication app = (HttpApplication)sender;
     if (app.Response.StatusCode == 403 && app.Response.SubStatusCode == 4)
     { 
       string HttpUrl = app.Request.Url.ToString();
   
       if (HttpUrl.StartsWith("http:"))
       {
           HttpUrl = HttpUrl.Replace("http:", "https:");
           app.Response.Redirect(HttpUrl.ToString(), true);
           app.Response.End();
       }
   }
   
   

   
   
6. Make sure you have the following in your web.config inside configuration tag
   

   <system.webServer>
   <modules>
      <add name="redir" type="http2https.redir" />
   </modules>
   </system.webServer> 
   

Your http to https redirection sample is ready and also works if you force SSL!!!

How to deploy the HttpModule
There are multiple ways you can deploy this component (I'm assuming that it's being deployed for "default website")

Method 1
Create a folder called "App_Code" inside "%systemdrive%\inetpub\wwwroot"
Copy "redir.cs" file into "App_Code" folder
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"

Method 2
Create a folder called "bin" inside "%systemdrive%\inetpub\wwwroot"
Compile "redir.cs" into "redir.dll" and copy it into "bin" folder (to compile -> csc.exe /out:redir.dll /target:library redir.cs)
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"

If you open IIS7 UI and go to Modules you can see your HttpModule listed there.

Source code http://www.awesomeideas.net/page/IIS7-http2https.aspx

I was thinking to write an HttpModule for IIS7 and wanted a simple, useful and easily understandable scenario. Working with IIS customers for last 3 years one of those common scenario came into my mind, Redirecting http traffic to https. Although this is pretty straight forward requirement, till IIS6 it was difficult to achieve. Check the following KB 839357 (specifically for OWA scenario) which explains the cumbersome steps .

(If you are looking for same functionality in prior versions of IIS, find it at the bottom of this post)

HttpModules are not something new if you are an ASP.NET developer. But there are some differences. In IIS7 because of integrated pipeline, HttpModule applies to any request not just ASP.NET and that includes htm,jpg,asp,aspx,asmx,php,jsp...

So let us get into action (I'm using C# for this sample)

1. Download and Install IIS7 Managed Module Starter Kit
   (Not really a requirement but it would make developing IIS7 modules easier)
2. Rename the default class name created to "redir.cs" and rename project/solution/namespace to "http2https"
3. Add the following code in "Init" method
   

   // register for the BeginRequest event
   application.BeginRequest += new EventHandler(OnBeginRequest);

4. Add the following method to implement "BeginRequest" event
   

   //BeginRequest implementation
   public void OnBeginRequest(Object sender, EventArgs e)
   {
   HttpApplication app = (HttpApplication)sender;
   string HttpUrl = app.Request.Url.ToString();

   if (HttpUrl.StartsWith("http:"))                                       //Redirection done only if URL starts with http:
   {
      HttpUrl = HttpUrl.Replace("http:", "https:");
      app.Response.Redirect(HttpUrl.ToString(), true);      //Redirecting (http 302) to the same URL but with https
      app.Response.End();                                                   //We don't want to any further so end
   }
   }

5. Make sure you have the following in your web.config inside configuration tag
   <system.webServer>
   <modules>
   <add name="redir" type="http2https.redir" />
   </modules>
   </system.webServer>

Your http to https redirection sample is ready!!!

How to deploy the HttpModule
There are multiple ways you can deploy this component (I'm assuming that it's being deployed for "default website")

Method 1
Create a folder called "App_Code" inside "%systemdrive%\inetpub\wwwroot"
Copy "redir.cs" file into "App_Code" folder
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"

Method 2
Create a folder called "bin" inside "%systemdrive%\inetpub\wwwroot"
Compile "redir.cs" into "redir.dll" and copy it into "bin" folder (to compile -> csc.exe /out:redir.dll /target:library redir.cs)
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"

If you open IIS7 UI and go to Modules you can see your HttpModule listed there.

Redirection options for prior versions of IIS below (you need to search for these)

- ASP.NET URL mapping capability (HttpContext.RewritePath)
- IIS v6.0 Resource Kit includes the UrlRemap tool
- IISRewrite
- ISAPI_Rewrite - includes a "lite" version available for free.
- Mod_Rewrite 2
- Ionic's ISAPI Rewrite Filter

***** Updated code snippet and source download is here *****
http://www.awesomeideas.net/page/IIS7-http2https.aspx 

So what is Appcmd.exe?

This is "one" command line tool to administer IIS7.  In IIS6 several of admin task were done using several scattered VBS script files. This made it difficult to find out what script needs to be run for eg. to get list of worker processes.

So IIS7 is powered with Appcmd.exe which provides all the options you need to administer IIS7.

Following are the options/categories available from a high level

Lets see how we can use it with an example

When I installed LH Server Beta (I rebuild my box quite frequently) I wanted to see how it's like to have 1000 websites running on IIS7.

So I created 1000 websites on my box.

Good scenario to use Appcmd.exe and also my MS-DOS experience. No I'm not gone nutts to create it using the UI :)

Steps required

1. Wanted separate folders for each website
2. Wanted to use same IP address and port for all websites
3. Type a command and leave the box to create all the websites

Keep in mind I'm not talking about Server but my desktop machine. Yea its got 2GB RAM though.

Steps below

1. Created a folder - E:\Websites
2. I wrote a batch file (createsite.cmd) with the following
   MD E:\Websites\Site%1
   appcmd add site /name:"Site%1" /id:%1 /bindings:http/:*:80:site%1 /physicalPath:"E:\Websites\Site%1"
   appcmd start site "Site%1"
3. Now the command to trigger the batch file where my MS-DOS experience came handy
   C:\FOR /L %i IN (2,1,5) DO createsite.cmd %i

FOR command is a batch file loop which simply works like 'for' loop in your favorite language

FOR /L %i IN (2,1,1000) DO createsite.cmd %i

is equivalent to the following in C

for ( i=2; i <= 1000; i++ ) 
   createsite( i );

I started value of 'i' from 2 because "Default Website" has Site ID 1.

Hit enter and wait till the folders and websites are created for each iteration.

Bingo !!! 1000 websites ready to be administered or tested.

So the result would be
E:\Websites folder would have folders called Site2, Site3 etc... and in IIS there would be sites with name Site2, Site3 etc...

Lets revisit the appcmd command above once again

appcmd add site
/name:"Site%1" // website name
/id:%1 // Site ID
/bindings:http/:*:80:site%1 // site would have "All Unassigned" including host header with the site name
/physicalPath:"E:\Websites\Site%1" // Pointing to the physical folder for that site

appcmd start site "Site%1"  // pretty straight forward, it starts the website

What else can I do to extend this scenario?

• Create Application Pools separately for each website
• Create a simple ASP page and drop it in every folder created
• Use TinyGET utility (available with IIS6 Resource Kit) to simulate request

Some other useful command options

Create Backup
C:\>appcmd add backup "backup before screwup"
BACKUP object "backup before screwup" added

List Backup
C:\>appcmd list backup
BACKUP "backup before screwup"

Restore from Backup
C:\>appcmd restore backup "backup before screwup"
Restored configuration from backup "backup before screwup"

Currently Executing Requests
C:\>appcmd list  request
REQUEST "fa00000080000487" (url:GET /highcpu.asp, time:1903 msec, client:localhost)

Will add more of this later...

I'm super excited to add this post to announce the release of IIS Community Portal - www.iis.net . To tell you, I've been waiting for it to be public so that I can blog about the site and open up on IIS7 features, tips & tricks.

You might think why a community site for a server product? How are administrators going to contribute to a community site. Will it be asking questions and providing answers ? Then why a portal and why not just a forum?

With the release of IIS7 (available in beta on Vista & Longhorn Server builds) and also on the CTP (Community Tech Preview) releases of the OS, there is a lot of meat added to developers.

Prior to IIS7 it was VC++ developer friend because they could write ISAPI Filters & ISAPI Extensions to extend features of prior versions of IIS till IIS6. Then came ASP.NET and HTTP Handlers & Modules.  But then with the architecture of IIS6, the control of http request processing was handled 1st by ISAPI's (you know why VC guys feel so proud) and then given a chance to .NET counter parts.

Now with IIS7 the door is open for "Managed Code Developers" as well. Can you believe that?

hmmm so now you're getting some hint on why we need IIS portal and not just a forum. So challenge would be for developers both managed & unmanaged world, to be creative and start developing your ideas into components like never before !!!

So am I just talking about the same HTTP Handlers & HTTP Modules?

Noooo, you can, not only change the way existing stuff works (like before) but also REPLACE default components.... Isn't that awesome power for us (developers) to dive in?

Best example would be the sample Bill Staples showcased on how to change the look and feel of "Directory browsing" with cool image thumbnails... (See the video available at www.iis.net)

But replacing features are not at all limited to the above mentioned sample but your creative thinking. Everything becomes easy because now you can use your favorite .NET language for developing.

Here is a glimpse of the new IIS7 UI from my Vista Ultimate Edition. Just keep in mind that there might be changes happening before the release and might look different. Again this is Vista (which means client version) and not the Server version. Click thumbnails to see the rest.

Web Server Level

Web Site Level

Modules (both managed and unmanaged)

SMTP configuration for using email in applications

more of these coming up soon...