Register a https binding with SNI enabled in IIS 8 with PowerShell Script

Question

I am currently setting up a new automated deployment and would like to know how to register an https binding with SNI enabled on IIS 8 programmatically. The web site already exists and the SSL certificate is already installed.

The powershell script has the following parameters passed in:

• Web site name
• SSL Certificate thumbprint
• Domain to bind

Assume the SSL Certificate is already installed.

Can anyone help me?

Answer 1

If as you say the certificate is already installed and the application pool identity has permission to the private key then you should be able to register a new binding like this:

New-WebBinding -Name $WebsiteName -Protocol "https" -Port 443 -IPAddress $IPAddress -HostHeader $HostHeader -SslFlags $sslFlags

You will of course need to set the variables before running this code however these should be self-explanatory.

When setting the value of the $sslFlags variable this should be set according to the following table:

0  No SNI
1  SNI Enabled
2  Non SNI binding which uses Central Certificate Store.
3  SNI binding which uses Central Certificate store

In your case this should be set to 1 since you are not using the central certificate store.

Once you have got the SSL binding in place you then need to associate the binding with the correct certificate. I have found through experience that the easiest way to do this is to use the netsh.exe command. It is possible to use Powershell directly however after many hours of investigating and addressing different problems I found netsh just more reliable.

The syntax here depends on how the binding is going to be setup however if you are using SNI then you will need the following syntax: (don't worry about the appid, it is not important what the value is)

netsh http add sslcert hostnameport=$($HostHeader):$($Port) certhash=$Thumbprint appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY

This code also requires variables to be set. Host header should be the DNS name your website is bound to, port will most likely be 443 and the variable $Thumbprint needs to contain the thumbprint or the hash of the certificate you are going to be using. You can find this using the certificate provider as in this code:

$Thumbprint = (Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.GetNameInfo("SimpleName",$false) -eq "my cert common name"}).Thumbprint

Hope this helps, if you need any more help then update the question. I have done a lot of work in this area.