PowerShell Snap-in: Configuring SSL with the IIS PowerShell Snap-in
by IIS Team
To enable SSL three steps are involved:
- Acquiring and installing a certificate
- Creating an SSL binding in IIS
- Assigning the certificate to the IP:Port of the IIS binding
- Enforcing SSL on your web-site
Acquiring and Installing a Certificate
Acquiring certificates is a tricky business. The users of your web-site have to trust the certificate and that's why you have to get it from a trusted Certificate Authority. For testing purposes you can make your own certificate however. For this walkthrough we will use a so-called self-signed certificate. The tool that helps us creating a self-signed certificate is called MAKECERT and is part of the Visual Studio SDK Tools. The following MAKECERT command will create a self-signed certificate and automatically install it in the "my" Windows Certificate Store:
makecert -r -pe -n "CN=MyTestServer" -b 07/01/2008 -e 07/01/2010 -eku 22.214.171.124.126.96.36.199.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
You can look at the certificates in the certificate store using the certificate provider:
PS IIS:\> dir cert:\localmachine\my Directory: Microsoft.PowerShell.Security\Certificate::localmachine\my Thumbprint Subject ---------- ------- 7ABF581E134280162AFFFC81E62011787B3B19B5 CN=MyTestServer
Your certificate thumbprint will be different!
Now lets use the IIS PowerShell Snap-in to create an SSL binding and associate it with the certificate we just created
Creating an SSL Binding
We are adding the SSL binding to the Default Web Site using one of the task-based cmdlets called New-WebBinding:
PS IIS:\> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
You can look at the binding collection using the following command:
PS IIS:\> Get-WebBinding 'Default Web Site'
protocol bindingInformation -------- ------------------ http *:80: https *:443:
Assigning the Certificate to the IP:Port of the IIS Binding
Now it gets a bit tricky because SSL settings get stored in the HTTP.SYS configuration store and the naming conventions are a bit different.
- In HTTP.SYS you have to use 0.0.0.0 to specify all IP addresses; in IIS you use an asterisk (*).
- In IIS you use ":" to separate the binding. Because PowerShell sees a colon as a drive indicator an exclamation mark is used instead:
You can CD into the IIS:\SslBindings directory and query the existing SSL bindings. The directory will be empty on an IIS default install:
PS IIS:\> cd SslBindings PS IIS:\SslBindings> dir
Now you can use the certificate hash we got in step one and associate it with all IP addresses (0.0.0.0) and the SSL port 443:
PS IIS:\SslBindings> get-item cert:\LocalMachine\MY\7ABF581E134280162AFFFC81E62011787B3B19B5 | new-item 0.0.0.0!443
The previous command generated the following SSL Binding:
IP Address Port Store Sites ---------- ---- ----- ----- 0.0.0.0 443 My Default Web Site
SSL is ready to go now and you can browse to your site by entering https://localhost
It is fairly straightforward process to set up SSL with PowerShell. You need to get a certificate, create an SSL binding in IIS and then use the IP and Port of the IIS binding to create a SSL binding in HTTP.SYS.