We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Assigning SSL certificates for WMSVC via PowerShellRSS

4 replies

Last post Dec 16, 2020 01:43 AM by Harry Hu

  • Assigning SSL certificates for WMSVC via PowerShell

    Feb 15, 2018 12:19 AM|jmwolfe24|LINK

    Hello All -

    I just spent a very long time studying the various documentation for scripting SSL certs for WMSVC (Web Deploy). There were some gotcha's in Windows 10 that required some details. I thought I'd contribute my code here so that others working with certs and IIS will lose less hair than I did. :)  This works for IIS 10.0 (Win 2016 Datacenter) but should work on older 2008 R2 systems as well.

    The reason I have this script is to update the SSL cert used when building out VM's from a template.  Once the host is created, you have to create a new Self-signed cert for it so you can deploy to this host using MS Deploy.  This script creates the new cert, copies it into Trusted Root Store.  It then creates the port binding between the cert and all unassigned for port 8172. Lastly, it then assigns the binding to WMSVC in the registry.

    First, I have a simple command file wrapper around the powershell which sets up the fully qualified hostname and makes it easier to call from the RunOnce registry. You will probably need to munge this to fit your own environment. 

    set FQHN=%COMPUTERNAME%.<yourdomain>
    powershell -ExecutionPolicy bypass -NonInteractive -NoProfile -command .\createNew.ps1 > createNew_log.txt 2>&1

    And now the powershell:

    $FQHN = "$env:FQHN";
    Import-Module WebAdministration
    "Attempting to stop WMSVC..."
    net stop WMSVC
    "Removing unassigned addresses SSl bindings... (ignore errors)"
    Remove-Item -Path IIS:\SslBindings\!8172 
    "Creating new cert in MY..."
    $webServerCert = New-SelfSignedCertificate -Type Custom -DnsName $FQHN  -Subject "CN=$FQHN" -KeySpec "Signature" -KeyUsage @("KeyEncipherment","DataEncipherment") -TextExtension @("{text}") -TestRoot -FriendlyName "$FQHN Self-Signed For MSDEPLOY Agent"  -NotAfter $([datetime]::now.AddYears(5)) -CertStoreLocation Cert:\LocalMachine\My
    "Adding it to Trusted Root Store..."
    $trustedRootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("root","LocalMachine")
    "Creating new bindings with new cert with hash: " + $thumbprint;
    $thumbprint = $webServerCert.Thumbprint
    # Note: the exact appid is required for WMSVC to actually start in IIS 10.0
    netsh http add sslcert ipport="" appid='{d7d72267-fcf9-4424-9eec-7e1d8dcec9a9}' certhash=$thumbprint certstorename=MY
    "Updating Registry pointing WMSVC to new binding"
    $bytes = for($i = 0; $i -lt $thumbprint.Length; $i += 2) {
    	[convert]::ToByte($thumbprint.SubString($i, 2), 16)
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name IPAddress -Value "*";
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name SslCertificateHash -Value $bytes
    "Attempting start of WMSVC..."
    net start WMSVC
    "Setting listener on main IP address for HTTP"
    $ipobj = Get-NetIPAddress -AddressState Preferred -AddressFamily IPv4 -InterfaceAlias "Ethernet0 2"
    netsh http add iplisten $ipobj.IPAddress

  • Re: Assigning SSL certificates for WMSVC via PowerShell

    Feb 16, 2018 10:12 AM|Yuk Ding|LINK


    Thanks for sharing your experience.

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Assigning SSL certificates for WMSVC via PowerShell

    Nov 29, 2018 01:55 AM|BradScott|LINK

    Wow - thanks so much for that! I've spent a couple days experimenting without success until I found this. I got everything except the registry settings, but it doesn't work without those. 

  • Re: Assigning SSL certificates for WMSVC via PowerShell

    Jan 17, 2020 10:10 AM|IGTech|LINK

    Thank you very much.

    I used this script for a failed exchange server 2019 installation on windows server 2019 core.


  • Re: Assigning SSL certificates for WMSVC via PowerShell

    Dec 16, 2020 01:43 AM|Harry Hu|LINK

    It helps me a lot to prepare a script to setup Web Deploy when we launch EC2 instance. I just want to mention there is small issue in script for removing old certification on 8172

    #it was using this in script, however it's not working for me and the binding is not delete on network level
    #which make the later step failed to add new binding, so in IIS it's changed, but the binding is actually not effective from network level
    -Item -Path IIS:\SslBindings\!8172

    #So nwo I changed to below script which working fine for me
    netsh http delete sslcert ipport=""

    #I also removed below from script as I don't see it's necessary
    netsh http add iplisten $ipobj.IPAddress