IIS – Command Line to Set Up SNI on Windows 2012

iis-8.5snisslssl-certificate

I'm trying to complete the automated build script of my web server, which runs Windows 2012 and has two SSL websites, each with its own digital certificate.

I am using SNI, which works fine when I set it up manually, but when I use APPCMD to set up the same config I can't work out how to select a certificate for the sites in the binding.

Using the manual approach there is a drop down list that you use to choose the certificate. I'm looking for the command line equivalent of picking a certificate from that list.

Does anyone know how you do that?

Best Answer

I don't know about appcmd, I consider that a legacy tool which I don't recommend using anymore.

In PowerShell you indicate SNI with the SSlFlags parameter, 0 is no SNI, 1 sets SNI.

New-WebBinding -Name site1.local -Port 443 -Protocol https -SslFlags 0
New-WebBinding -Name site2.local -Port 443 -Hostheader site2.local -Protocol https -SslFlags 1

To assign an existing certificate, first get the thumbprint of the cert and a GUID and then use netsh

$thumb = (Get-ChildItem cert:\LocalMachine\MY | where-object { $_.FriendlyName -match "site2" } | Select-Object -First 1).Thumbprint
$guid = [guid]::NewGuid()
& netsh http add sslcert hostnameport=site2.local:443 certhash=$thumb appid=`{$guid`} certstorename=MY

for the site without SNI use:

$thumb = (Get-ChildItem cert:\LocalMachine\MY | where-object { $_.FriendlyName -match "site1" } | Select-Object -First 1).Thumbprint
$guid = [guid]::NewGuid()
& netsh http add sslcert ipport=0.0.0.0:443 certhash=$thumb appid=`{$guid`} certstorename=MY

Best Answer

Related Solutions

Ssl – Does SNI represent a privacy concern for the website visitors

Ssl – Installing SSL on a Windows Server 2012 with IIS 8.0

Related Topic