Assigning SSL certificates for WMSVC via PowerShellRSS

3 replies

Last post Jan 17, 2020 10:10 AM by IGTech

  • Assigning SSL certificates for WMSVC via PowerShell

    Feb 15, 2018 12:19 AM|jmwolfe24|LINK

    Hello All -

    I just spent a very long time studying the various documentation for scripting SSL certs for WMSVC (Web Deploy). There were some gotcha's in Windows 10 that required some details. I thought I'd contribute my code here so that others working with certs and IIS will lose less hair than I did. :)  This works for IIS 10.0 (Win 2016 Datacenter) but should work on older 2008 R2 systems as well.

    The reason I have this script is to update the SSL cert used when building out VM's from a template.  Once the host is created, you have to create a new Self-signed cert for it so you can deploy to this host using MS Deploy.  This script creates the new cert, copies it into Trusted Root Store.  It then creates the port binding between the cert and all unassigned for port 8172. Lastly, it then assigns the binding to WMSVC in the registry.

    First, I have a simple command file wrapper around the powershell which sets up the fully qualified hostname and makes it easier to call from the RunOnce registry. You will probably need to munge this to fit your own environment. 

    set FQHN=%COMPUTERNAME%.<yourdomain>
    cd C:\WMSVCCONFIG
    powershell -ExecutionPolicy bypass -NonInteractive -NoProfile -command .\createNew.ps1 > createNew_log.txt 2>&1

    And now the powershell:

    $FQHN = "$env:FQHN";
    
    Import-Module WebAdministration
    "Attempting to stop WMSVC..."
    net stop WMSVC
    
    "Removing unassigned addresses SSl bindings... (ignore errors)"
    Remove-Item -Path IIS:\SslBindings\0.0.0.0!8172 
    
    "Creating new cert in MY..."
    $webServerCert = New-SelfSignedCertificate -Type Custom -DnsName $FQHN  -Subject "CN=$FQHN" -KeySpec "Signature" -KeyUsage @("KeyEncipherment","DataEncipherment") -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -TestRoot -FriendlyName "$FQHN Self-Signed For MSDEPLOY Agent"  -NotAfter $([datetime]::now.AddYears(5)) -CertStoreLocation Cert:\LocalMachine\My
    
    ""
    "Adding it to Trusted Root Store..."
    $trustedRootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("root","LocalMachine")
    $trustedRootStore.open("ReadWrite");
    
    $trustedRootStore.add($webServerCert);
    
    "Creating new bindings with new cert with hash: " + $thumbprint;
    $thumbprint = $webServerCert.Thumbprint
    
    # Note: the exact appid is required for WMSVC to actually start in IIS 10.0
    netsh http add sslcert ipport="0.0.0.0:8172" appid='{d7d72267-fcf9-4424-9eec-7e1d8dcec9a9}' certhash=$thumbprint certstorename=MY
    
    "Updating Registry pointing WMSVC to new binding"
    
    $bytes = for($i = 0; $i -lt $thumbprint.Length; $i += 2) {
    	[convert]::ToByte($thumbprint.SubString($i, 2), 16)
    }
    
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name IPAddress -Value "*";
    
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name SslCertificateHash -Value $bytes
    
    ""
    "Attempting start of WMSVC..."
     
    net start WMSVC
    
    "Setting listener on main IP address for HTTP"
    $ipobj = Get-NetIPAddress -AddressState Preferred -AddressFamily IPv4 -InterfaceAlias "Ethernet0 2"
    
    netsh http add iplisten $ipobj.IPAddress

  • Re: Assigning SSL certificates for WMSVC via PowerShell

    Feb 16, 2018 10:12 AM|Yuk Ding|LINK

    Hijmwolfe24,

    Thanks for sharing your experience.

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Assigning SSL certificates for WMSVC via PowerShell

    Nov 29, 2018 01:55 AM|BradScott|LINK

    Wow - thanks so much for that! I've spent a couple days experimenting without success until I found this. I got everything except the registry settings, but it doesn't work without those. 

  • Re: Assigning SSL certificates for WMSVC via PowerShell

    Jan 17, 2020 10:10 AM|IGTech|LINK

    Thank you very much.

    I used this script for a failed exchange server 2019 installation on windows server 2019 core.

    Event ID 1007: IISWMSVC_STARTUP_UNABLE_TO_READ_CERTIFICATE