How to configure SSL on IIS7 under Windows 2008 Server Core

BLOG ARCHIVE ABOUT CONTACT Blog RSS

RSS

How to configure SSL on IIS7 under Windows 2008 Server Core
Posted on May 18, 2008 17:51

Due to the popularity of Windows 2008 Server Core I have seen frequently questions about how to configure SSL on IIS7 with only command-line. Since I wandered that path few months back I thought of putting this article/guide together.

There are 3 simple steps involved

1. Importing the Certificate into relevant Certificate Store

If you have a .CER file
certutil –addstore MY test-cert.cer

OR

If you have .PFX file
certutil -importpfx <filename.pfx>

OR

Create and Import test certificate using MakeCert.EXE (which comes with Visual Studio SDK Tools)
makecert -r -pe -n "CN=sukhyper-v" -b 01/01/2008 -e 01/01/2010 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

2. Configure SSL with HTTP.SYS (command below should be entered on a single line)

netsh http add sslcert ipport=0.0.0.0:443 certstorename=MY certhash=b63293e9c24f7fda4c671beac4a0eff29e0d3b52
appid={5a599f4f-02dc-4120-8646-74fcbc5b4827}

appid can be any unique GUID but I used ‘Key Container’ value of the certificate for ease of use!

Output of certutil –store MY
================ Certificate 1 ================
Serial Number: ab171a1627a592964d358ec9736da78a
Issuer: CN=sukhyper-v
NotBefore: 1/1/2008 12:00 AM
NotAfter: 1/1/2010 12:00 AM
Subject: CN=sukhyper-v
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): b6 32 93 e9 c2 4f 7f da 4c 67 1b ea c4 a0 ef f2 9e 0d 3b 52
Key Container = 5a599f4f-02dc-4120-8646-74fcbc5b4827
Unique container name: ec4840c8098979e9cc0eb699ef979eaf_931d1088-a4b3-4332-b918-8d75ab3e674e
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed

3. Add HTTPS binding on the website using this certificate

appcmd set site “Default Web Site” /+bindings.[protocol=’https’, bindingInformation=’*:443:’]

Other related commands
Enforce SSL for the site with 128bit
appcmd set config "Default Web Site" -section:access -sslFlags:Ssl,Ssl128 -commit:apphost

Add SSL Binding in IIS
appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']

Remove SSL Binding in IIS
appcmd set site "Default Web Site" /-bindings.[protocol='https',bindingInformation='*:443:']

Show Certificate endpoint from HTTP.SYS
netsh http show sslcert

Delete Certificate endpoint from HTTP.SYS
netsh http delete sslcert ipport=0.0.0.0:443

View Certificate Store
certutil -store MY

View Certificate Store with UI
certutil -viewstore MY

Currently rated 5.0 by 1 people

Currently 5/5 Stars.
1
2
3
4
5

Permalink | Comments (5) | RSS comment feed

RSS comment feed

Post RSS

Share this post by

or online bookmarks

Related posts

Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)IIS7 - Hostable WebCoreIIS7 - Mobile Admin

Comments

May 18. 2008 18:03

Pingback from blogs.msdn.com

Technology 'n Me (Sukesh) : How to configure SSL on IIS7 under Windows 2008 Server Core

May 20. 2008 17:19

Pingback from blogs.iis.net

How to configure SSL on IIS7 under Windows 2008 Server Core - Sukesh's IIS Blog

May 23. 2008 21:52

Pingback from iis-digest.com

How to configure SSL on IIS 7.0 running ServerCore at IIS Digest

August 20. 2008 06:26

I am following same steps but I am getting "SSL Certificate add failed, Error: 1312
A specified logon session does not " error when i do 2nd step. If I run Certutil -repairstore my <Certhash> followed by 2nd and 3rd step did job for me. Any Clues why?

Urmil

September 8. 2008 14:43

AFAIK, this is due to some compatibility between the tool and new CNG (Cryptography Next Generation) API introduced in Windows 2008.

I'm glad that you found a way to get it fixed.

You can read more about CNG features here
http://msdn.microsoft.com/en-us/library/bb204775(VS.85).aspx

Add comment
Name*
E-mail* (Will show your Gravatar icon)
Website
Country Country flag

Comment* [b][/b] - [i][/i] - [u][/u]- [quote][/quote]

Notify me when new comments are added

Powered by BlogEngine.NET 1.3.0.14 and themed by me
[Sign in]

About the Author

Sukesh

Hi, I'm Sukesh

Chat with me!

Projects

Categories

Search

Disclaimer
All opinions posted here are those of the author and are in no way intended to represent the opinions of his employer. All posts are provided "AS IS" with no warranties, and confers no rights.

© Copyright 2008

Archive

Recent posts

How to configure SSL on IIS7 under Windows 2008 Server CoreComments: 5Rating: 5 / 1
IIS7 Mobile Admin now on codeplex !!!Comments: 0Rating: 5 / 1
IIS7 Mobile AdminComments: 8Rating: 5 / 2
Hotfix - After installing MS07-045 Cumulative Security Update for Internet Explorer - CreateObject call fails with 8000ffffComments: 0Rating: 0 / 0
Kernel mode authentication in IIS7Comments: 0Rating: 0 / 0
Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)Comments: 1Rating: 5 / 1
After installing MS07-045 Cumulative Security Update for Internet Explorer - CreateObject call fails with 8000ffffComments: 0Rating: 5 / 1
How to Check certificate expiry for webserver (IIS) certificates using scriptComments: 2Rating: 0 / 0
Redirecting from http to https in IIS7 (http2https Updated)Comments: 3Rating: 5 / 1
MSN Cartoon Beta (cool way to create smiley's from photos)Comments: 6Rating: 0 / 0

Recent comments

What is Windows Vista Sideshow? (2)
Refrigerator Water Filters wrote: Refrigerator water filters for great prices availa… [More]
IIS7 Mobile Admin (8)
laptop cases wrote: nice computer tech.. love it [More]
How to configure SSL on IIS7 under Windows 2008 Server Core (5)
Sukesh wrote: AFAIK, this is due to some compatibility between t… [More]
How to configure SSL on IIS7 under Windows 2008 Server Core (5)
Urmil wrote: I am following same steps but I am getting "S… [More]
IIS7 Mobile Admin (8)
Bindeshv wrote: Nice stuff. You rock :-) [More]

Blogroll