Menu
I'm trying to assign a certificate to a HTTPS binding. Unfortunately, I get this error from PowerShell:
new-item : Cannot create a file when that file already exists
At line:3 char:56
+ get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-Item], Win32Exception
+ FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
My PowerShell which I execute is:
New-WebBinding -name $Name -Protocol https -HostHeader "$Name.domain.com" -Port 443 -SslFlags 1
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like "*cloud.domain.com*"} | Select-Object -ExpandProperty Thumbprint
get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBindings\0.0.0.0!443!$Name.domain.com
It seems to be able to find the certificate, but is not able to assign it to the created binding. The binding gets created with the right IP/Port/HostHeader, SNI is checked, but SSL Certificate is "Not selected"
It all works fine from IIS Manager
I have tried various instructions from SO and other sites, e.g.:
http://technet.microsoft.com/en-us/magazine/jj871065.aspx
Powershell IIS7 Snap in Assign SSL certificate to https binding
Powershell - Add SSL binding using shared certificate
Also, I have tried with
IIS:\SslBindings\0.0.0.0!443!$Name.domain.com
and
IIS:\SslBindings\0.0.0.0!443
The Certificate has a subject of cloud.domain.com, and multiple SAN attributes, e.g. for **.domain.com*, domain.com, **.seconddomain.com*, seconddomain.com, cloud.domain.com
Edit:
Right now I'm using this approach, which does work:
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport=$Name.domain.com:443 certhash=b58e54ca68c94f93c134c5da00a388ab0642a648 certstorename=MY appid="$guid"
I'm still interested however in a solution without netsh / appcmd
892
To enable SSL three steps are involved: Acquiring and installing a certificate. Creating an SSL binding in IIS. Assigning the certificate to the IP:Port of the IIS binding.
Step by Step InstructionsIn the Connections pane, select the server. Certificate Rebind is enabled at the server level. In the Home pane, in the IIS section, double-click Server Certificates. In the Actions pane, click Enable Automatic Rebind of Renewed Certificate.
In IIS Manager, do the following to create a self-signed certificate: In the Connections pane, select your server in the tree view and double-click Server Certificates. In the Actions pane, click Create Self-Signed Certificate. Enter a user-friendly name for the new certificate and click OK.
To get the certificate thumbprint using PowerShell is very much easy. We just need to retrieve the path where certificates reside and the default property that is shown on the console will include the certificate thumbprint. For example, we are going to retrieve the certificate from the personal store.
Here is how I was able to generate a self-signed certificate for the machine FQDN and Add the SSL Certificate and Binding.
$fqdn = "$((Get-WmiObject win32_computersystem).DNSHostName).$((Get-WmiObject win32_computersystem).Domain)"
$cert=(Get-ChildItem cert:\LocalMachine\My | where-object { $_.Subject -match "CN=$fqdn" } | Select-Object -First 1)
if ($cert -eq $null) {
$cert = New-SelfSignedCertificate -DnsName $fqdn -CertStoreLocation "Cert:\LocalMachine\My"
}
$binding = (Get-WebBinding -Name SiteNameHere | where-object {$_.protocol -eq "https"})
if($binding -ne $null) {
Remove-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn
}
New-WebBinding -Name SiteNameHere -Port 443 -Protocol https -HostHeader $fqdn
(Get-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($cert.Thumbprint, "my")
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
