Assign IIS SSL Certificate to Binding with Host Header using PowerShell
Based on @ElanHasson's answer, I made this script which will make a self-signed TLS certificate and apply it to a website. It could be tidied a bit, but it works:
Clear-Host
$certificateDnsName = 'my.localcert.ssl' # a name you want to give to your certificate (can be anything you want for localhost)
$siteName = "Default Web Site" # the website to apply the bindings/cert to (top level, not an application underneath!).
$fqdn = "" #fully qualified domain name (empty, or e.g 'contoso.com')
# ----------------------------------------------------------------------------------------
# SSL CERTIFICATE CREATION
# ----------------------------------------------------------------------------------------
# create the ssl certificate that will expire in 2 years
$newCert = New-SelfSignedCertificate -DnsName $certificateDnsName -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(2)
"Certificate Details:`r`n`r`n $newCert"
# ----------------------------------------------------------------------------------------
# IIS BINDINGS
# ----------------------------------------------------------------------------------------
$webbindings = Get-WebBinding -Name $siteName
$webbindings
$hasSsl = $webbindings | Where-Object { $_.protocol -like "*https*" }
if($hasSsl)
{
Write-Output "ERROR: An SSL certificate is already assigned. Please remove it manually before adding this certificate."
Write-Output "Alternatively, you could just use that certificate (provided it's recent/secure)."
}
else
{
"Applying TLS/SSL Certificate"
New-WebBinding -Name $siteName -Port 443 -Protocol https -HostHeader $fqdn #could add -IPAddress here if needed (and for the get below)
(Get-WebBinding -Name $siteName -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($newCert.Thumbprint, "my")
"`r`n`r`nNew web bindings"
$webbindings = Get-WebBinding -Name $siteName
$webbindings
}
"`r`n`r`nTLS/SSL Assignment Complete"
With fqdn empty (and no -IPAddress
assigned), it will give you this in IIS:
I'm not familiar with IIS, but the error says that the binding(file) already exists, so you're not adding a SSL binding, you're updating one it seems. Try adding -Force
to the New-Item
command. If it works like with files, it should overwrite the existing binding. Like:
New-WebBinding -name $Name -Protocol https -HostHeader "$Name.domain.com" -Port 443 -SslFlags 1
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like "*cloud.domain.com*"} | Select-Object -ExpandProperty Thumbprint
get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBindings\0.0.0.0!443!$Name.domain.com -Force
Right now I'm using this approach, which does work:
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport=$Name.domain.com:443 certhash=b58e54ca68c94f93c134c5da00a388ab0642a648 certstorename=MY appid="$guid"
Here is how I was able to generate a self-signed certificate for the machine FQDN and Add the SSL Certificate and Binding.
$fqdn = "$((Get-WmiObject win32_computersystem).DNSHostName).$((Get-WmiObject win32_computersystem).Domain)"
$cert=(Get-ChildItem cert:\LocalMachine\My | where-object { $_.Subject -match "CN=$fqdn" } | Select-Object -First 1)
if ($cert -eq $null) {
$cert = New-SelfSignedCertificate -DnsName $fqdn -CertStoreLocation "Cert:\LocalMachine\My"
}
$binding = (Get-WebBinding -Name SiteNameHere | where-object {$_.protocol -eq "https"})
if($binding -ne $null) {
Remove-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn
}
New-WebBinding -Name SiteNameHere -Port 443 -Protocol https -HostHeader $fqdn
(Get-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($cert.Thumbprint, "my")