IIS 7 and Above
Configuration & Scripting
import ssl from .pfx
Last post Dec 20, 2007 07:25 AM by rebelvis
Dec 13, 2007 07:02 AM|rebelvis|LINK
Dec 13, 2007 06:44 PM|rlucero|LINK
You should be able to do this using AppCmd. Some of the information is available here:
I can try to look into the actual importing mechanism and tools, but AppCmd is probably the way to go on this one. And it is an automatable process.
Dec 17, 2007 11:41 AM|rebelvis|LINK
I do not think appcmd is the proper tool for importing and/or make bindings with ssl (or at least this article does not show how to), but you can use appcmd for ssl flags and enable protocol. The article shows 2 wmi-scripts for binding and configuring of
SSL. I have tried capicom to get the certificate imported. This command gave a success feedback, and things looks right in the registry ( I have tried both the MY store and the Root store by changing this parameter in the script). CStore.vbs" import c:\etc\dav_cert.pfx
when I try the binding script in the article it returns:
c:\Windows\System32\inetsrv>cscript //nologo c:\etc\create_ssl_binding.vbs
c:\etc\create_ssl_binding.vbs(5, 1) SWbemObjectEx: Provider load failure (no matter if I try MY or Root)
So I turned to netsh:
c:\Windows\System32\inetsrv>netsh http add sslcert ipport=<server ip>:443 certhash=<hash> appid=<appid> certstorename=Root verifyclientcertrevocation=disable
There is a plan iis, nothing running on top of it. I did not know what the appid was, but searching the registry I found one which reasonable:
@="IIS W3 Control"
I also tried this:
@="Health Key and Certificate Management"
SSL Certificate add failed, Error: 1312
A specified logon session does not exist. It may already have been terminated.
Well maybe I have not understood the appid GUID right, or maybe capicom was not the way to do the import. Nevertheless, I find a lot of people asking the same questions as me on the net, different iis-forums, and there are no concrete answers. I think many
would appreciate a really concrete blog entry on this: which tools, how to find the apropriate appid (if necessary), which ssl stores for best pratices for different use etc. We are a lot of people (especially IIS admins) who wants server core, but it is so
hard to find good, thoughoutly and concrete documentation. I have just found surfacial examples (concrete enough ok) and hinting suggestions. We want exatly like: to put basic authenitacation on this virtual directory, to put windows authentication on that
directory? And if you put it on top, all other will inheret etc (looks like that). How do we turn on sftp for the same vdirs? How to make vdirs write able (do we have to do the flags directly in the xml? (no, I sure this can be done by appcmd, but how?) My
webservice would not even start after c'n'p in the flags part in the article (and it sure was not the xml) - could it be related to a difference in format (ansi/asci etc)?
Dec 18, 2007 10:49 PM|steve schofield|LINK
You can install the IIS 6 compatability and use your existing scripts. Have you attempted to do this?
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Dec 19, 2007 01:59 AM|thomad|LINK
We is the deal:
If you have a .pfx file you can import it via the UI which you don't have on Server Core.
The way to import a server certificate on Server Core is to use CERTOBJ. It comes with the IIS6 compat layer (which is unfortunate because the compat layer is not needed to make CERTOBJ work). The scripts described
here should still work.
Instead of using the site id to associate a cert with an IIS site you can use the following syntax to associate a cert with an IP:Port combination:
set iiscertobj = CreateObject("IIS.CertObj")
Hope this helps.
Dec 20, 2007 07:25 AM|rebelvis|LINK
First: Things works fine now - the capicom (CStore.vbs) does the import and I made the binding with appcmd:
appcmd set site "Default Web Site" /bindings:https/*:443:,http/*:80:
(This did not work at first as I made the mistake of writing: appcmd set site "Default Web Site" /bindings:https/*:443,http/*:80)
(I also put accessflags with: appcmd set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:Ssl)
The IISCertObj seems great (very easy), though I have not got it working.
So I have installed:
start /w pkgmgr /iu:IIS-IIS6ManagementCompatibility; # This does not show up in the component list in registy by itself, but IIS-WMICompatibility and IIS-Metabase seems to have dependcy to it
start /w pkgmgr /iu:IIS-ManagementScriptingTools;IIS-WMICompatibility;
start /w pkgmgr /iu:IIS-Metabase;
(I also tried IIS-ASP, but that did not do it either, so I removed it again), which brings me to the total of:
C:\>reg query hklm\software\microsoft\inetstp\components
SharedLibraries REG_DWORD 0x1
ProcessModelLibraries REG_DWORD 0x1
ProcessModel REG_DWORD 0x1
CoreWebEngine REG_DWORD 0x1
W3SVC REG_DWORD 0x1
CachingBase REG_DWORD 0x1
Caching REG_DWORD 0x1
HttpCache REG_DWORD 0x1
CompressionBinaries REG_DWORD 0x1
HttpCompressionStatic REG_DWORD 0x1
DefaultDocument REG_DWORD 0x1
DirectoryBrowse REG_DWORD 0x1
HttpProtocol REG_DWORD 0x1
StaticContent REG_DWORD 0x1
AnonymousAuthenticationBinaries REG_DWORD 0x1
AnonymousAuthentication REG_DWORD 0x1
BasicAuthenticationBinaries REG_DWORD 0x1
BasicAuthentication REG_DWORD 0x1
RequestFilteringBinaries REG_DWORD 0x1
RequestFiltering REG_DWORD 0x1
HttpErrors REG_DWORD 0x1
HttpLoggingBinaries REG_DWORD 0x1
LoggingLibraries REG_DWORD 0x1
HttpLogging REG_DWORD 0x1
RequestMonitor REG_DWORD 0x1
CGI REG_DWORD 0x1
FastCgi REG_DWORD 0x1
WMICompatibility REG_DWORD 0x1
ManagementScriptingTools REG_DWORD 0x1
Metabase REG_DWORD 0x1
ADSICompatibility REG_DWORD 0x1
But the script
set iiscertobj = CreateObject("IIS.CertObj")
C:\etc\import_ssl.vbs(2, 1) Microsoft VBScript runtime error: ActiveX component can't create object: 'IIS.CertObj'
(btw other vbs scripts runs fine (etc wmi list of services)).
I did a procmon session, and (from what I can read out of it) the problem seems to be the missing of certobj.dll (in %windir%\systemd32\inetsrv) and its CLASSES in registry.. (I have also tried copying it from an iis 6, but that did not do it, and regsvr32
failed to registered due to dependencies. This result was no surprise, anyway). Mush of the same issues seems to be true for the IISCertDeploy.vbs script (though I have not procmon-ed that).
So, I have not made the IIS 6 compability mode working properly.
Thanks for your help everyone :)
I think you are going to hear from me soon as I move on to authentication and access of UNC usershares.