AwesomeIdeas.NET | How to configure SSL on IIS7 under Windows 2008 Server Core

BLOG ARCHIVE ABOUT CONTACT Blog RSS

RSS

How to configure SSL on IIS7 under Windows 2008 Server Core
Posted on May 18, 2008 17:51 by Sukesh

Due to the popularity of Windows 2008 Server Core I have seen frequently questions about how to configure SSL on IIS7 with only command-line. Since I wandered that path few months back I thought of putting this article/guide together.

There are 3 simple steps involved

1. Importing the Certificate into relevant Certificate Store

If you have a .CER file
certutil –addstore MY test-cert.cer

OR

If you have .PFX file
certutil -importpfx <filename.pfx>

OR

Create and Import test certificate using MakeCert.EXE (which comes with Visual Studio SDK Tools)
makecert -r -pe -n "CN=sukhyper-v" -b 01/01/2008 -e 01/01/2010 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

2. Configure SSL with HTTP.SYS (command below should be entered on a single line)

netsh http add sslcert ipport=0.0.0.0:443 certstorename=MY certhash=b63293e9c24f7fda4c671beac4a0eff29e0d3b52
appid={5a599f4f-02dc-4120-8646-74fcbc5b4827}

appid can be any unique GUID but I used ‘Key Container’ value of the certificate for ease of use!

Output of certutil –store MY
================ Certificate 1 ================
Serial Number: ab171a1627a592964d358ec9736da78a
Issuer: CN=sukhyper-v
NotBefore: 1/1/2008 12:00 AM
NotAfter: 1/1/2010 12:00 AM
Subject: CN=sukhyper-v
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): b6 32 93 e9 c2 4f 7f da 4c 67 1b ea c4 a0 ef f2 9e 0d 3b 52
Key Container = 5a599f4f-02dc-4120-8646-74fcbc5b4827
Unique container name: ec4840c8098979e9cc0eb699ef979eaf_931d1088-a4b3-4332-b918-8d75ab3e674e
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed

3. Add HTTPS binding on the website using this certificate

appcmd set site “Default Web Site” /+bindings.[protocol=’https’, bindingInformation=’*:443:’]

Other related commands
Enforce SSL for the site with 128bit
appcmd set config "Default Web Site" -section:access -sslFlags:Ssl,Ssl128 -commit:apphost

Add SSL Binding in IIS
appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']

Remove SSL Binding in IIS
appcmd set site "Default Web Site" /-bindings.[protocol='https',bindingInformation='*:443:']

Show Certificate endpoint from HTTP.SYS
netsh http show sslcert

Delete Certificate endpoint from HTTP.SYS
netsh http delete sslcert ipport=0.0.0.0:443

View Certificate Store
certutil -store MY

View Certificate Store with UI
certutil -viewstore MY

Currently rated 5.0 by 2 people

Currently 5/5 Stars.
1
2
3
4
5

Permalink | Comments (17) | RSS comment feed

Post RSS

Share this post by Share by email

E-mail or using online bookmarks

Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)There are so many things which has changed in IIS7 for the better and one of them is about the way S...IIS7 - Hostable WebCoreHostable Web Core (known as HWC) is a new concept in IIS7 to host a website/webservice inside your o...IIS7 - Mobile AdminIIS7 Mobile Admin is a mobile administration application to manage IIS7 remotely using the Web Brows...

Comments

May 18. 2008 18:03

Pingback from blogs.msdn.com

Technology 'n Me (Sukesh) : How to configure SSL on IIS7 under Windows 2008 Server Core

blogs.msdn.com

May 20. 2008 17:19

Pingback from blogs.iis.net

How to configure SSL on IIS7 under Windows 2008 Server Core - Sukesh's IIS Blog

blogs.iis.net

May 23. 2008 21:52

Pingback from iis-digest.com

How to configure SSL on IIS 7.0 running ServerCore at IIS Digest

iis-digest.com

August 20. 2008 06:26

I am following same steps but I am getting "SSL Certificate add failed, Error: 1312
A specified logon session does not " error when i do 2nd step. If I run Certutil -repairstore my <Certhash> followed by 2nd and 3rd step did job for me. Any Clues why?

Urmil

September 8. 2008 14:43

AFAIK, this is due to some compatibility between the tool and new CNG (Cryptography Next Generation) API introduced in Windows 2008.

I'm glad that you found a way to get it fixed.

You can read more about CNG features here
msdn.microsoft.com/.../bb204775(VS.85).aspx

Sukesh

December 1. 2008 04:27

Last week my bos told me to add and configure ssl for the windows 2008 server in my office, since i noobe with windows (i usually use linux box), i said i can't to do it lol.. but i promise to searching how to configure that and i found your site.. thank you so much, you save my position!

busby seo test

December 2. 2008 13:43

I'm glad the article was useful and saved your position!

Sukesh

December 3. 2008 05:01

See, blogs like this actually save people's jobs!

vardis

December 19. 2008 05:23

i'm not familiar how IIS work, but i enable the SSL self-sign certificate with an instruction coming from this site using GUI. weblogs.asp.net/.../...lf-signed-certificates.aspx . My question, how do I type that command? Does the IIS has shell like Linux environment, or we can use the dos mode or something? Thanks

Eligio

January 3. 2009 17:44

Eligio,

The commands are typed from dos mode

Sukesh

January 8. 2009 02:35

nice little way around there, thanks

John

January 17. 2009 13:23

Sukesh,

I would like to run these commands across 3 servers in our web farm, all sharing the same wildcard SSL certificate. However the http context is not available in the remote netsh window. Not sure if you have any idea what I may need to configure. I have tried turning off windows Firewall just to see, and it did not work.

I recieve this as a list of options.

.. - Goes up one context level.
? - Displays a list of commands.
abort - Discards changes made while in offline mode.
add - Adds a configuration entry to a list of entries.
advfirewall - Changes to the `netsh advfirewall' context.
alias - Adds an alias.
bridge - Changes to the `netsh bridge' context.
bye - Exits the program.
commit - Commits changes made while in offline mode.
delete - Deletes a configuration entry from a list of entries.
dhcpclient - Changes to the `netsh dhcpclient' context.
dump - Displays a configuration script.
exec - Runs a script file.
exit - Exits the program.
help - Displays a list of commands.
interface - Changes to the `netsh interface' context.
ipsec - Changes to the `netsh ipsec' context.
nap - Changes to the `netsh nap' context.
netio - Changes to the `netsh netio' context.
offline - Sets the current mode to offline.
online - Sets the current mode to online.
popd - Pops a context from the stack.
pushd - Pushes current context on stack.
quit - Exits the program.
ras - Changes to the `netsh ras' context.
set - Updates configuration settings.
show - Displays information.
unalias - Deletes an alias.
winsock - Changes to the `netsh winsock' context.

The following sub-contexts are available:
advfirewall bridge dhcpclient interface ipsec nap netio ras winsock

To view help for a command, type the command, followed by a space, and then
type ?.

[10.2.0.1] netsh>

Rob B

January 17. 2009 18:41

Can you provide details of what OS is on client and remote server?
Also if client has IIS/HTTP installed or not?

As per this article (read at the bottom)
technet.microsoft.com/en-us/library/cc754580.aspx

Some of these contexts are not available at the netsh prompt unless you have previously installed the server role, role service, feature, or other technology. For example, the DHCP server context netsh dhcp is not available at the netsh prompt until after you install the DHCP server role.

Sukesh

January 18. 2009 05:38

I read a lot of articles related to netsh and did come across this one as well. However I could not find many articles besides a few on technet as well as your own even dicussing the HTTP context. (only searched for an hour)

Both machines are identical Windows 2008 Web edition machines with the IIS role turned on. Both machines are domain members and I am a domain admin and local machine admin.

Not sure how bad this will paste, but these are the role features enabled on both machines. Again, I turned off the firewall to see if this may have been blocking something. Not sure if there is a service that needs to be running...or something else I am missing. I plan on using sysinternals PSExec if I can't get this to work, but I wanted to avoid if possible.

Web Server - INSTALLED
Common HTTP Features - INSTALLED
Static Content - INSTALLED
Default Document - INSTALLED
Directory Browsing - NOT INSTALLED
HTTP Errors - INSTALLED
HTTP Redirection - NOT INSTALLED

Application Development - INSTALLED
ASP.NET - NOT INSTALLED
.NET Extensibility - NOT INSTALLED
ASP - INSTALLED
CGI - NOT INSTALLED
ISAPI Extensions - INSTALLED
ISAPI Filters - INSTALLED
Server-Side Includes - NOT INSTALLED

Health and Diagnostics - INSTALLED
HTTP Logging - INSTALLED
Logging Tools - INSTALLED
Request Monitor - INSTALLED
Tracing - INSTALLED
Custom Logging - NOT INSTALLED
ODBC Logging - NOT INSTALLED

Security - INSTALLED
Basic Authentication - NOT INSTALLED
Windows Authentication - NOT INSTALLED
Digest Authentication - NOT INSTALLED
Client Certificate Mapping Authenti NOT INSTALLED
IIS Client Certificate Mapping Auth NOT INSTALLED
URL Authorization - NOT INSTALLED
Request Filtering - INSTALLED
IP and Domain Restrictions - INSTALLED

Performance Features - INSTALLED
Static Content Compression - INSTALLED
Dynamic Content Compression - NOT INSTALLED

Management Tools - INSTALLED
IIS Management Console - INSTALLED
IIS Management Scripts and Tools - INSTALLED
Management Service - INSTALLED
IIS 6 Management Compatibility - INSTALLED
IIS Metabase Compatibility - INSTALLED
IIS 6 WMI Compatibility - NOT INSTALLED
IIS 6 Scripting Tools - NOT INSTALLED
IIS 6 Management Console - INSTALLED

FTP Publishing Service - NOT INSTALLED
FTP Server - NOT INSTALLED
FTP Management snap-in - NOT INSTALLED

I am hoping I am overlooking something and this is possible, and its not available for other reasons.

Thanks for the quick reply,
Rob

Rob B

January 18. 2009 14:39

Rob,
After I replied to your comment I got some time to repro what you were talking about.
From inside netsh command prompt if you try this command "show helper" you will see http listed like below
{44F3288B-DBFF-4B31-A86E-633F50D706B3} NSHHTTP.DLL http

Although this shows from local and remote netsh prompt, doesn't work from remote netsh like you mentioned. So you are doing anything wrong since I can repro on my end.

Lemme check internally whether this is by design or not and post a response...
Gimme sometime ;)

Sukesh

February 1. 2009 00:11

Great this helps me a lot working with SSL

Dubai

February 25. 2009 16:53

Hi Sukesh,

I replaced the certificate store from "MY" to "ROOT" because everytime i browse the page using https, i always receive an "Invalid Certificate" error. The certificate was created though it doesn't display on the Certificate Server tab on the Default Web Site. The https binding was created but the Certificate was not selected. Have you encounter this issue before?

Thanks,
Aaron

Aaron of Locksley