Partilhar via


Centralized Certificate Store and SNI in IIS through Powershell

 

Recently I worked with one of the customer, who wanted assistance in setting up the Centralized Certificate Store functionality and Server Name Indication (SNI) of IIS 8.X through Powershell scirpt.

Requirements:

        1. Enable the Centralized Certificate Store and SNI functionality

        2. Make sure that all the websites in the IIS is added a binding with port 443 and hostname in the format sitename.domain.com

 I set up a lab environment and wrote the below scripts which served the above requirement.

 

Pre-Requisites for running the below script:

       1. We need IIS 8.X version installed on the WebServer along with the Centralized Certificate Store feature.

       2. We need the Powershell to run the script.

       3. Make sure that the Server Administrator has access to store and read the certificates from the Certificate Store location mentioned in the script.

 

How to run the script:

       1. You can modify the below script as per your environment and place it a file with extension .ps1 and run it through elevated powershell window.

       2. Alternatively, You can also run the script through PowerShell ISE.

 

#Make sure that Centralized Certificate Store Feature has been installed.

#Enable Certificate Store.

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\IIS\CentralCertProvider\ -Name Enabled -Value 1

#Set Certificate Store Target Location.

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\IIS\CentralCertProvider\ -Name CertStoreLocation -Value \\UNCServerName\CertStore

#Set Credentials on the Certificate store.

Set-WebCentralCertProvider -UserName 'administrator' -Password 'P@$$w0rd!' -PrivateKeyPassword 'MyP@$$W0rd1!'

#Import Module for WebAdministration.

Import-Module WebAdministration

#Declare variable.

[string]$domname = '.contoso.com'

#Create an array of websites.

$sites = get-website | foreach {$_.name}

#Routine to clear all bindings to each website.

foreach ($configsite in $sites)

{

        clear-ItemProperty "IIS:\sites\$configsite" -Name Bindings

}

#Routine to Add certstore binding.

<#

SslFlags attribute can have any one of the below value:

•A value of "0" specifies that the secure connection be made using an IP/Port combination. Only one certificate can be bound to a combination of IP address and the port.

•A value of "1" specifies that the secure connection be made using the port number and the host name obtained by using Server Name Indication (SNI).

•A value of "2" specifies that the secure connection be made using the centralized SSL certificate store without requiring a Server Name Indicator.

•A value of "3" specifies that the secure connection be made using the centralized SSL certificate store while requiring Server Name Indicator

https://www.iis.net/configreference/system.applicationhost/sites/site/bindings/binding

#>

foreach ($configsitein$sites)

{

    new-WebBinding -Name $configsite -SslFlags 3 -Protocol https -HostHeader ("$configsite"+"$domname")

}

Exit

 

 

 DISCLAIMER
 # The sample code is not supported under any Microsoft standard support program or service.
 # Microsoft is not liable for the damages caused to business by running this script (if any).