AwesomeIdeas.NET | How to configure SSL on IIS7 under Windows 2008 Server Core

BLOG ARCHIVE ABOUT CONTACT Blog RSS

RSS

How to configure SSL on IIS7 under Windows 2008 Server Core
Posted on May 18, 2008 17:51 by Sukesh

Due to the popularity of Windows 2008 Server Core I have seen frequently questions about how to configure SSL on IIS7 with only command-line. Since I wandered that path few months back I thought of putting this article/guide together.

There are 3 simple steps involved

1. Importing the Certificate into relevant Certificate Store

If you have a .CER file
certutil –addstore MY test-cert.cer

OR

If you have .PFX file
certutil -importpfx <filename.pfx>

OR

Create and Import test certificate using MakeCert.EXE (which comes with Visual Studio SDK Tools)
makecert -r -pe -n "CN=sukhyper-v" -b 01/01/2008 -e 01/01/2010 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

2. Configure SSL with HTTP.SYS (command below should be entered on a single line)

netsh http add sslcert ipport=0.0.0.0:443 certstorename=MY certhash=b63293e9c24f7fda4c671beac4a0eff29e0d3b52
appid={5a599f4f-02dc-4120-8646-74fcbc5b4827}

appid can be any unique GUID but I used ‘Key Container’ value of the certificate for ease of use!

Output of certutil –store MY
================ Certificate 1 ================
Serial Number: ab171a1627a592964d358ec9736da78a
Issuer: CN=sukhyper-v
NotBefore: 1/1/2008 12:00 AM
NotAfter: 1/1/2010 12:00 AM
Subject: CN=sukhyper-v
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): b6 32 93 e9 c2 4f 7f da 4c 67 1b ea c4 a0 ef f2 9e 0d 3b 52
Key Container = 5a599f4f-02dc-4120-8646-74fcbc5b4827
Unique container name: ec4840c8098979e9cc0eb699ef979eaf_931d1088-a4b3-4332-b918-8d75ab3e674e
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed

3. Add HTTPS binding on the website using this certificate

appcmd set site “Default Web Site” /+bindings.[protocol=’https’, bindingInformation=’*:443:’]

Other related commands
Enforce SSL for the site with 128bit
appcmd set config "Default Web Site" -section:access -sslFlags:Ssl,Ssl128 -commit:apphost

Add SSL Binding in IIS
appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']

Remove SSL Binding in IIS
appcmd set site "Default Web Site" /-bindings.[protocol='https',bindingInformation='*:443:']

Show Certificate endpoint from HTTP.SYS
netsh http show sslcert

Delete Certificate endpoint from HTTP.SYS
netsh http delete sslcert ipport=0.0.0.0:443

View Certificate Store
certutil -store MY

View Certificate Store with UI
certutil -viewstore MY

241b41f8-d24b-40cd-9396-9bb2cf7c48e9|2|5.0

Permalink | Comments (67) | RSS comment feed

Post RSS

Share this post by Share by email

E-mail or using online bookmarks

Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)There are so many things which has changed in IIS7 for the better and one of them is about the way SSL works. Although IIS6 allowed kernel mode SSL (s...IIS7 - Hostable WebCoreHostable Web Core (known as HWC) is a new concept in IIS7 to host a website/webservice inside your own process. In short a smaller hosted version of I...IIS7 - Mobile AdminIIS7 Mobile Admin is a mobile administration application to manage IIS7 remotely using the Web Browser on your mobile phone.IngredientsASP.NET based w...

Comments

May 18. 2008 18:03

Pingback from blogs.msdn.com

Technology 'n Me (Sukesh) : How to configure SSL on IIS7 under Windows 2008 Server Core

blogs.msdn.com

May 20. 2008 17:19

Pingback from blogs.iis.net

How to configure SSL on IIS7 under Windows 2008 Server Core - Sukesh's IIS Blog

blogs.iis.net

May 23. 2008 21:52

Pingback from iis-digest.com

How to configure SSL on IIS 7.0 running ServerCore at IIS Digest

iis-digest.com

August 20. 2008 06:26

I am following same steps but I am getting "SSL Certificate add failed, Error: 1312
A specified logon session does not " error when i do 2nd step. If I run Certutil -repairstore my <Certhash> followed by 2nd and 3rd step did job for me. Any Clues why?

Urmil

September 8. 2008 14:43

AFAIK, this is due to some compatibility between the tool and new CNG (Cryptography Next Generation) API introduced in Windows 2008.

I'm glad that you found a way to get it fixed.

You can read more about CNG features here
msdn.microsoft.com/.../bb204775(VS.85).aspx

Sukesh

December 19. 2008 05:23

i'm not familiar how IIS work, but i enable the SSL self-sign certificate with an instruction coming from this site using GUI. weblogs.asp.net/.../...lf-signed-certificates.aspx . My question, how do I type that command? Does the IIS has shell like Linux environment, or we can use the dos mode or something? Thanks

Eligio

January 3. 2009 17:44

Eligio,

The commands are typed from dos mode

Sukesh

January 17. 2009 13:23

Sukesh,

I would like to run these commands across 3 servers in our web farm, all sharing the same wildcard SSL certificate.  However the http context is not available in the remote netsh window.  Not sure if you have any idea what I may need to configure.  I have tried turning off windows Firewall just to see, and it did not work.

I recieve this  as a list of options.

..             - Goes up one context level.
?              - Displays a list of commands.
abort          - Discards changes made while in offline mode.
add            - Adds a configuration entry to a list of entries.
advfirewall    - Changes to the `netsh advfirewall' context.
alias          - Adds an alias.
bridge         - Changes to the `netsh bridge' context.
bye            - Exits the program.
commit         - Commits changes made while in offline mode.
delete         - Deletes a configuration entry from a list of entries.
dhcpclient     - Changes to the `netsh dhcpclient' context.
dump           - Displays a configuration script.
exec           - Runs a script file.
exit           - Exits the program.
help           - Displays a list of commands.
interface      - Changes to the `netsh interface' context.
ipsec          - Changes to the `netsh ipsec' context.
nap            - Changes to the `netsh nap' context.
netio          - Changes to the `netsh netio' context.
offline        - Sets the current mode to offline.
online         - Sets the current mode to online.
popd           - Pops a context from the stack.
pushd          - Pushes current context on stack.
quit           - Exits the program.
ras            - Changes to the `netsh ras' context.
set            - Updates configuration settings.
show           - Displays information.
unalias        - Deletes an alias.
winsock        - Changes to the `netsh winsock' context.

The following sub-contexts are available:
advfirewall bridge dhcpclient interface ipsec nap netio ras winsock

To view help for a command, type the command, followed by a space, and then
type ?.

[10.2.0.1] netsh>

Rob B

January 17. 2009 18:41

Can you provide details of what OS is on client and remote server?
Also if client has IIS/HTTP installed or not?

As per this article (read at the bottom)
technet.microsoft.com/en-us/library/cc754580.aspx

Some of these contexts are not available at the netsh prompt unless you have previously installed the server role, role service, feature, or other technology. For example, the DHCP server context netsh dhcp is not available at the netsh prompt until after you install the DHCP server role.

Sukesh

January 18. 2009 05:38

I read a lot of articles related to netsh and did come across this one as well.  However I could not find many articles besides a few on technet as well as your own even dicussing the HTTP context. (only searched for an hour)

Both machines are identical Windows 2008 Web edition machines with the IIS role turned on.  Both machines are domain members and I am a domain admin and local machine admin.

Not sure how bad this will paste, but these are the role features enabled on both machines.  Again, I turned off the firewall to see if this may have been blocking something.  Not sure if there is a service that needs to be running...or something else I am missing.  I plan on using sysinternals PSExec if I can't get this to work, but I wanted to avoid if possible.

Web Server -         INSTALLED
  Common HTTP Features -     INSTALLED
    Static Content -       INSTALLED
    Default Document -       INSTALLED
    Directory Browsing -     NOT INSTALLED
    HTTP Errors -       INSTALLED
    HTTP Redirection -       NOT INSTALLED

  Application Development  -     INSTALLED
    ASP.NET -         NOT INSTALLED
    .NET Extensibility -     NOT INSTALLED
    ASP -         INSTALLED
    CGI -         NOT INSTALLED
    ISAPI Extensions -       INSTALLED
    ISAPI Filters -       INSTALLED
    Server-Side Includes -     NOT INSTALLED

  Health and Diagnostics  -     INSTALLED
    HTTP Logging -       INSTALLED
    Logging Tools -       INSTALLED
    Request Monitor -       INSTALLED
    Tracing -         INSTALLED
    Custom Logging -       NOT INSTALLED
    ODBC Logging -       NOT INSTALLED

  Security - INSTALLED
    Basic Authentication -     NOT INSTALLED
    Windows Authentication -     NOT INSTALLED
    Digest Authentication -     NOT INSTALLED
    Client Certificate Mapping Authenti  NOT INSTALLED
    IIS Client Certificate Mapping Auth  NOT INSTALLED
    URL Authorization -     NOT INSTALLED
    Request Filtering -     INSTALLED
    IP and Domain Restrictions -   INSTALLED

  Performance Features  -     INSTALLED
    Static Content Compression -   INSTALLED
    Dynamic Content Compression -   NOT INSTALLED

Management Tools  -       INSTALLED
  IIS Management Console -     INSTALLED
  IIS Management Scripts and Tools -   INSTALLED
  Management Service  -     INSTALLED
  IIS 6 Management Compatibility -   INSTALLED
    IIS Metabase Compatibility -   INSTALLED
    IIS 6 WMI Compatibility -     NOT INSTALLED
    IIS 6 Scripting Tools -     NOT INSTALLED
    IIS 6 Management Console -     INSTALLED

FTP Publishing Service -     NOT INSTALLED
  FTP Server -         NOT INSTALLED
  FTP Management snap-in -     NOT INSTALLED

I am hoping I am overlooking something and this is possible, and its not available for other reasons.

Thanks for the quick reply,
Rob

Rob B

January 18. 2009 14:39

Rob,
After I replied to your comment I got some time to repro what you were talking about.
From inside netsh command prompt if you try this command "show helper" you will see http listed like below
{44F3288B-DBFF-4B31-A86E-633F50D706B3} NSHHTTP.DLL http

Although this shows from local and remote netsh prompt, doesn't work from remote netsh like you mentioned. So you are doing anything wrong since I can repro on my end.

Lemme check internally whether this is by design or not and post a response...
Gimme sometime ;)

Sukesh

February 25. 2009 16:53

Hi Sukesh,

I replaced the certificate store from "MY" to "ROOT" because everytime i browse the page using https, i always receive an "Invalid Certificate" error. The certificate was created though it doesn't display on the Certificate Server tab on the Default Web Site. The https binding was created but the Certificate was not selected. Have you encounter this issue before?

Thanks,
Aaron

Aaron of Locksley

July 31. 2009 02:44

Aaron,
Invalid certificate error happens due to 3 reasons
1. It's expired
2. Not trusted by a root certificate authority (this is the case if you use test certs)
3. Domain name provided for the certificate is not the same as the installed website...

I'm guessting you might be talking about #2.

If you move the hive for the server certificate it won't show up in the IIS manager UI.

If you have a website configured with SSL and then remove/move the certificate from outside of IIS (eg. using Certificate MMC) you would see https binding without a certificate...

Hope that helps.

Sukesh

August 29. 2009 19:36