Assign IIS SSL Certificate to Binding with Host Header using PowerShell
I'm trying to assign a certificate to a HTTPS binding. Unfortunately, I get this error from PowerShell:
new-item : Cannot create a file when that file already exists
At line:3 char:56
+ get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-Item], Win32Exception
+ FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
My PowerShell which I execute is:
New-WebBinding -name $Name -Protocol https -HostHeader "$Name.domain.com" -Port 443 -SslFlags 1
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like "*cloud.domain.com*"} | Select-Object -ExpandProperty Thumbprint
get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBindings\0.0.0.0!443!$Name.domain.com
It seems to be able to find the certificate, but is not able to assign it to the created binding. The binding gets created with the right IP/Port/HostHeader, SNI is checked, but SSL Certificate is "Not selected"
It all works fine from IIS Manager
I have tried various instructions from SO and other sites, e.g.:
http://technet.microsoft.com/en-us/magazine/jj871065.aspx
Powershell IIS7 Snap in Assign SSL certificate to https binding
Powershell - Add SSL binding using shared certificate
Also, I have tried with
IIS:\SslBindings\0.0.0.0!443!$Name.domain.com
and
IIS:\SslBindings\0.0.0.0!443
The Certificate has a subject of cloud.domain.com, and multiple SAN attributes, e.g. for **.domain.com*, domain.com, **.seconddomain.com*, seconddomain.com, cloud.domain.com
Edit:
Right now I'm using this approach, which does work:
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport=$Name.domain.com:443 certhash=b58e54ca68c94f93c134c5da00a388ab0642a648 certstorename=MY appid="$guid"
I'm still interested however in a solution without netsh / appcmd
Answer
Here is how I was able to generate a self-signed certificate for the machine FQDN and Add the SSL Certificate and Binding.
$fqdn = "$((Get-WmiObject win32_computersystem).DNSHostName).$((Get-WmiObject win32_computersystem).Domain)"
$cert=(Get-ChildItem cert:\LocalMachine\My | where-object { $_.Subject -match "CN=$fqdn" } | Select-Object -First 1)
if ($cert -eq $null) {
$cert = New-SelfSignedCertificate -DnsName $fqdn -CertStoreLocation "Cert:\LocalMachine\My"
}
$binding = (Get-WebBinding -Name SiteNameHere | where-object {$_.protocol -eq "https"})
if($binding -ne $null) {
Remove-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn
}
New-WebBinding -Name SiteNameHere -Port 443 -Protocol https -HostHeader $fqdn
(Get-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($cert.Thumbprint, "my")