IIS SSL: How To Powershell Script Client Cert Required

I recently was asked how to script the IIS SSL setting to require client certificates (see figure below) using Powershell.  We needed to automate the setting since it was part of an Azure deployment.  There are other methods of doing this, but since we were using Powershell for everything else, we preferred to keep a consistent approach.


I went off to figure it out and here is what I came up with.  First make sure you enable the IIS cmdlets by running Import System Modules within the Windows PowerShell Modules selection of the Administrative Tools menu:


Once those modules are imported in your Powershell session, you can set the SSL options with the command below (replace the –location argument with your site name):

PS C:\>Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'Default Web Site/CertEnroll' -filter "system.webServer/security/access" -name "sslFlags" -value "Ssl,SslNegotiateCert,SslRequireCert"

Please note that the command above is finicky.  Don't put spaces between the settings quoted in the –value argument (ie NO spaces in here "Ssl,SslNegotiateCert,SslRequireCert").

To get the current setting for the site use the command below:

PS C:\>Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'Default Web Site/CertEnroll’ -filter "system.webServer/security/access" -name "sslFlags"


Other links of interest:

How to set up SSL on IIS 7

Specify Whether to Use Client Certificates (IIS 7)