Configuring SSL Certificates for Windows Vista

The documentation for configuring a port with an SSL certificate shows example commands using the httpcfg.exe program. Starting with Windows Vista, httpcfg.exe was replaced in function by the netsh program that comes with the operating system. This is more convenient than having to download a separate tool, but it means that the syntax that you need to use changes slightly.

Let's assume that you've created a certificate and have already installed it using either the command line or the MMC certificate snap-in. Now, through the MMC snap-in, get the thumbprint of the certificate you want to install to a port if you don't already know what the thumbprint is. This process hasn't changed much so your existing directions should continue to work. The thumbprint for the test certificate I generated was 45d08a92798460d84e4ce157f31662b36c4edbff. When you copy the thumbprint from the snap-in, don't forget to remove all of the spaces.

You'll need to run netsh from an elevated command prompt. This first command installs my generated test certificate to port 8000 for the wildcard IP address.

 netsh http add sslcert ipport=0.0.0.0:8000 certhash=45d08a92798460d84e4ce157f31662b36c4edbff
  appid={00112233-4455-6677-8899-AABBCCDDEEFF}

The only new thing here is the appid, which is a guid that can be used to associate the certificate with a particular application. You can check the installed certificates with the following command.

 netsh http show sslcert

That gives me the following certificate description.

 SSL Certificate bindings:
-------------------------
    IP:port                 : 0.0.0.0:8000
    Certificate Hash        : 45d08a92798460d84e4ce157f31662b36c4edbff
    Application ID          : {00112233-4455-6677-8899-aabbccddeeff}
    Certificate Store Name  : (null)
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : (null)
    Ctl Store Name          : (null)
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

Finally, you can remove the certificate associated with a particular address to undo the earlier changes.

 netsh http delete sslcert ipport=0.0.0.0:8000

Next time: Shutting Down a Channel

Comments

• Anonymous
  October 15, 2007
  Back when I did an overview of custom namespaces , I omitted any namespace declarations that wouldn't

• Anonymous
  October 15, 2007
  Hi Nicholas, I've been struggling with trying to get authentication to work with a webhttpbinding.  I want to do Custom validation against by data base to ensure that only authenticated users can use my rest service.  Do you know of a sample that works with Cassini that i can refer to? Thanks Matt

• Anonymous
  October 15, 2007
  Btw, The issue i am running into is that even though I specify a custom validator in my config file, the validate function never gets called. thanks Matt

• Anonymous
  October 15, 2007
  Hi Matt, If you're trying to use custom validation with HTTPS then you'll have to wait until the final version of Orcas comes out for that to work.

• Anonymous
  October 24, 2007
  I work remotely and am now using a new Sony Vaio with Windows Vista Home Premium installed.  I'm trying to access a doctor's office software online but end up with a "Certificate Security" issue no matter what I do.  Microsoft has a Hotfix but NOT for Windows Vista.  They directed me to call Sony, which I did.  They walked me through a reconfiguration of my Sony but it still won't download for me. Can someone help?  My email address is:  tangledroses@sbcglobal.net My URL I included in order to leave a comment here has nothing to do with my problem. Thanks so much, Remi