PowerShell Snap-in: Configuring SSL with the IIS PowerShell Snap-in

by IIS Team

To enable SSL three steps are involved:

1. Acquiring and installing a certificate
2. Creating an SSL binding in IIS
3. Assigning the certificate to the IP:Port of the IIS binding

and optionally:

• Enforcing SSL on your web-site

Acquiring certificates is a tricky business. The users of your web-site have to trust the certificate and that's why you have to get it from a trusted Certificate Authority. For testing purposes you can make your own certificate however. For this walkthrough we will use a so-called self-signed certificate. The tool that helps us creating a self-signed certificate is called MAKECERT and is part of the Visual Studio SDK Tools. The following MAKECERT command will create a self-signed certificate and automatically install it in the "my" Windows Certificate Store:

makecert -r -pe -n "CN=MyTestServer" -b 07/01/2008 -e 07/01/2010 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

You can look at the certificates in the certificate store using the certificate provider:

PS IIS:\> dir cert:\localmachine\my
    Directory: Microsoft.PowerShell.Security\Certificate::localmachine\my
Thumbprint                                Subject
----------                                -------
7ABF581E134280162AFFFC81E62011787B3B19B5  CN=MyTestServer

Now lets use the IIS PowerShell Snap-in to create an SSL binding and associate it with the certificate we just created

We are adding the SSL binding to the Default Web Site using one of the task-based cmdlets called New-WebBinding:

PS IIS:\> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

You can look at the binding collection using the following command:

PS IIS:\> Get-WebBinding 'Default Web Site'

protocol                                          bindingInformation
--------                                          ------------------
http                                              *:80:
https                                             *:443:

Now it gets a bit tricky because SSL settings get stored in the HTTP.SYS configuration store and the naming conventions are a bit different.

1. In HTTP.SYS you have to use 0.0.0.0 to specify all IP addresses; in IIS you use an asterisk (*).
2. In IIS you use ":" to separate the binding. Because PowerShell sees a colon as a drive indicator an exclamation mark is used instead:

You can CD into the IIS:\SslBindings directory and query the existing SSL bindings. The directory will be empty on an IIS default install:

PS IIS:\> cd SslBindings
PS IIS:\SslBindings> dir

Now you can use the certificate hash we got in step one and associate it with all IP addresses (0.0.0.0) and the SSL port 443:

PS IIS:\SslBindings> get-item cert:\LocalMachine\MY\7ABF581E134280162AFFFC81E62011787B3B19B5 | new-item 0.0.0.0!443

The previous command generated the following SSL Binding:

IP Address       Port Store            Sites
----------       ---- -----            -----
0.0.0.0          443  My               Default Web Site

SSL is ready to go now and you can browse to your site by entering https://localhost.

It is fairly straightforward process to set up SSL with PowerShell. You need to get a certificate, create an SSL binding in IIS and then use the IP and Port of the IIS binding to create a SSL binding in HTTP.SYS.