We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Assigning SSL certificates for WMSVC via PowerShell

    Feb 15, 2018 12:19 AM|jmwolfe24|LINK

    Hello All -

    I just spent a very long time studying the various documentation for scripting SSL certs for WMSVC (Web Deploy). There were some gotcha's in Windows 10 that required some details. I thought I'd contribute my code here so that others working with certs and IIS will lose less hair than I did. :)  This works for IIS 10.0 (Win 2016 Datacenter) but should work on older 2008 R2 systems as well.

    The reason I have this script is to update the SSL cert used when building out VM's from a template.  Once the host is created, you have to create a new Self-signed cert for it so you can deploy to this host using MS Deploy.  This script creates the new cert, copies it into Trusted Root Store.  It then creates the port binding between the cert and all unassigned for port 8172. Lastly, it then assigns the binding to WMSVC in the registry.

    First, I have a simple command file wrapper around the powershell which sets up the fully qualified hostname and makes it easier to call from the RunOnce registry. You will probably need to munge this to fit your own environment. 

    set FQHN=%COMPUTERNAME%.<yourdomain>
    powershell -ExecutionPolicy bypass -NonInteractive -NoProfile -command .\createNew.ps1 > createNew_log.txt 2>&1

    And now the powershell:

    $FQHN = "$env:FQHN";
    Import-Module WebAdministration
    "Attempting to stop WMSVC..."
    net stop WMSVC
    "Removing unassigned addresses SSl bindings... (ignore errors)"
    Remove-Item -Path IIS:\SslBindings\!8172 
    "Creating new cert in MY..."
    $webServerCert = New-SelfSignedCertificate -Type Custom -DnsName $FQHN  -Subject "CN=$FQHN" -KeySpec "Signature" -KeyUsage @("KeyEncipherment","DataEncipherment") -TextExtension @("{text}") -TestRoot -FriendlyName "$FQHN Self-Signed For MSDEPLOY Agent"  -NotAfter $([datetime]::now.AddYears(5)) -CertStoreLocation Cert:\LocalMachine\My
    "Adding it to Trusted Root Store..."
    $trustedRootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("root","LocalMachine")
    "Creating new bindings with new cert with hash: " + $thumbprint;
    $thumbprint = $webServerCert.Thumbprint
    # Note: the exact appid is required for WMSVC to actually start in IIS 10.0
    netsh http add sslcert ipport="" appid='{d7d72267-fcf9-4424-9eec-7e1d8dcec9a9}' certhash=$thumbprint certstorename=MY
    "Updating Registry pointing WMSVC to new binding"
    $bytes = for($i = 0; $i -lt $thumbprint.Length; $i += 2) {
    	[convert]::ToByte($thumbprint.SubString($i, 2), 16)
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name IPAddress -Value "*";
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name SslCertificateHash -Value $bytes
    "Attempting start of WMSVC..."
    net start WMSVC
    "Setting listener on main IP address for HTTP"
    $ipobj = Get-NetIPAddress -AddressState Preferred -AddressFamily IPv4 -InterfaceAlias "Ethernet0 2"
    netsh http add iplisten $ipobj.IPAddress