How to Setup SSL on IIS 7.0

Introduction

The high-level steps for configuring SSL are the same in IIS 7.0 and IIS 6.0:

  • Get an appropriate certificate
  • Create an HTTPS binding on a site
  • Test by making an request to the site
  • Optionally configure SSL options, e.g. making SSL a requirement

This document provides some helpful information, then shows how to enable SSL in many different ways:

  • Using the IIS Manager GUI
  • Using the appcmd command line tool
  • Programmatically through Microsoft.Web.Administration
  • Through WMI scripts 

This article contains:

SSL Configuration

The implementation of SSL has changed from IIS 6.0 to IIS 7.0.  On Windows Server 2003, all SSL configuration was stored in the IIS metabase and encryption/decryption happened in user mode (required a lot of kernel/user mode transitions).  On Windows Vista and Windows Server® 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections. 

Moving SSL to kernel mode requires storing SSL binding information in two places.  First, the binding is stored in %windir%\system32\inetsrv\applicationHost.config for your site.  When the site starts, IIS 7.0 sends the binding to HTTP.sys and HTTP.sys starts listening for requests on the specified IP:Port (this works for all bindings).  Second, SSL configuration associated with the binding is stored in HTTP.sys configuration.  Use netsh to view SSL binding configuration stored in HTTP.sys:

netsh http show sslcert

When a client connects and initiates an SSL negotiation, HTTP.sys looks in its SSL configuration for the IP:Port pair that the client connected to.  The HTTP.sys SSL configuration must include a certificate hash and the name of the certificate's store for the SSL negotiation to succeed. 

Troubleshooting Tip: If you're having trouble an SSL binding, verify that the binding is configured in applicationHost.config and that the HTTP.sys store contains a valid certificate hash and store name for the binding.

Choosing a Certificate

Do you want end users to be able to verify your server's identity with your certificate?  If yes, then either create a certificate request and send that request to a known CA like VeriSign or GeoTrust, or get a certificate from an online CA in your intranet domain.  There are three things that a browser usually checks for in a server certificate:

  1. The current date/time is with the "Valid from" and "Valid to" dates on the certificate
  2. The certificate's "Common Name" (CN) matches the host header in the request, e.g. if the client is making a request to http://www.contoso.com/, then the CN must also be http://www.contoso.com/
  3. The Issuer is a known and trusted CA

If one or more of these checks fails, the browser prompts the user with warnings.  If you have an internet site or an intranet site where your end users are not people you know personally, then you should always ensure that these three parameters check out.

Self-signed certificates are certificates created by your computer.  They're useful in environments where it's not important for an end user to trust your server, a test environment for example.

AppCmd

You cannnot request or create a certificate using appcmd.  You also cannot create an SSL binding.

Configure SSL Settings

You can use appcmd to configure a site to server-only https connections by modifying the sslFlags attribute on the access section.  For example, configure this setting for the "Default Web Site" in the applicationHost.config file (i.e. –commitPath:APPHOST):

D:\Windows\system32\inetsrv>appcmd set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:Ssl

Applied configuration changes to section "system.webServer/security/access" for
"MACHINE/WEBROOT/APPHOST/Default Web Site" at configuration commit path "MACHINE
/WEBROOT/APPHOST"    

To require 128-bit SSL, change the sslFlags value to Ssl128.

The sample below shows how to view the <access/> section settings for the Default Web Site.  The sslFlags attribute has been set successfully: 

D:\Windows\system32\inetsrv>appcmd list config "Default Web Site" -section:access

The result: 

<system.webServer>
  <security>
    <access flags="Script, Read" sslFlags="Ssl" />
  </security>
</system.webServer>

WMI

You cannot request or create a certificate using the WebAdministration WMI namespace.

Create an SSL Binding

This script shows how to create a new HTTPS binding and add the appropriate configuration for both HTTP.sys and IIS 7.0: 

Set oIIS = GetObject("winmgmts:root\WebAdministration")
			

'''''''''''''''''''''''''''''''''''''''''''''

' CREATE SSL BINDING

'''''''''''''''''''''''''''''''''''''''''''''


oIIS.Get("SSLBinding").Create _ 			

   "*", 443, "4dc67e0ca1d9ac7dd4efb3daaeb15d708c9184f8", "MY"
'''''''''''''''''''''''''''''''''''''''''''''

' ADD SSL BINDING TO SITE

'''''''''''''''''''''''''''''''''''''''''''''


Set oBinding = oIIS.Get("BindingElement").SpawnInstance_


oBinding.BindingInformation = "*:443:"
oBinding.Protocol = "https"

 

Set oSite = oIIS.Get("Site.Name='Default Web Site'")

arrBindings = oSite.Bindings
			

ReDim Preserve arrBindings(UBound(arrBindings) + 1)

Set arrBindings(UBound(arrBindings)) = oBinding

oSite.Bindings = arrBindings 
			

Set oPath = oSite.Put_

Note: The certificate hash and store must reference a real, functional certificate on your server. If the certificate hash and/or store name are bogus, the script will error.

Configure SSL Settings

This script shows how to set SSL setting via the IIS 7.0 WMI provider:

This value can be found in the IIS_Schema.xml file
			

CONST SSL = 8			

 

Set oIIS = GetObject("winmgmts:root\WebAdministration")

Set oSection = oIIS.Get( _


   "AccessSection.Path='MACHINE/WEBROOT/APPHOST',Location='Default Web Site'")

oSection.SslFlags = oSection.SslFlags OR SSL

oSection.Put_

IIS Manager

Obtain a Certificate

Select the server node in the treeview and double-click the Server Certificates feature in the listview:

 

Click Create Self-Signed Certificate... in the Actions pane.

Enter a friendly name for the new certificate and click OK.

Now you have a self-signed certificate.  The certificate is marked for "Server Authentication" use; i.e. use as a server-side certificate for HTTP SSL encryption and for authenticating the identity of the server.

Create an SSL Binding

Select a site in the treeview and click Bindings... in the Actions pane.  This brings up the bindings editor that lets you create, edit, and delete bindings for your website.  Click the Add... button to add your new SSL binding to the site.

New bindings default to http on port 80.  Select https in the Type drop-down. Select the self-signed certificate you created earlier from the SSL Certificate drop-down and click OK.


Now you have a new SSL binding on your site and all that remains is to verify that works.

 

Verify the SSL Binding

Look in your site's Actions pane for a link that will browse your site over your new HTTPS binding. Click this link to test your new binding.

IE7 will show you a error page because the self-signed certificate was issued by your machine, not a trusted Certificate Authority (CA).  IE7 will trust the certificate if you add it to the list of Trusted Root Certification Authorities in the certificates store on the local machine or in Group Policy for the domain.   Click Continue to this website (not recommended).

Configure SSL Settings

Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates.  Click the site node in the treeview to go back to the site's home page.  Double-click the SSL Settings feature in the middle pane.


Summary

In this walkthrough, we successfully used the command-line tool AppCmd.exe, Scripting provider WMI, and the IIS Manager to setup SSL on IIS 7.0.

 

Related Content

Comments

TorLanglo

It would be great if this article could be extended with information about how to create self-signed certificates with user provided domain names (the computer name doesn't always meet our needs). I wrote a short article on my blog about how to do this. I'm not an expert and haven't thus added all the how's and why's in my article, that's what would be great to see here.

Link: http://torlanglo.spaces.live.com/blog/cns!97592022AD12DB22!345.entry

I also have a question, is it possible to associate the web site's certificate with more than one domain/subdomain? How?

May 03 2008 by TorLanglo
didocus

I was surprised to find out that you can not specify the FQDN when you generate a SelfSigned Certificate in IIS7.

There is an easier solution for this which doesn’t require visual studio. Here is a Step-by-Step screencast:
http://www.netometer.com/video/tutorials/server-2008-self-signed-certtificate/index.php

Dean
http://www.netometer.com

May 18 2008 by didocus
neha.noma

Hi,
I would like to know more about the "Issue: in current product UI, in Action pane, also contains "Online help" task>". Where could I find detail about it?

I have made my module for some settings through it, and I want to open my Help and Online help files throuth this Action task. However I am not even able to hide it also.

View detailed post @ http://forums.iis.net/p/1151580/1878706.aspx#1878706

Please guide.

Thanks,
Neha

Sep 08 2008 by neha.noma
neha.noma

And I would like to know is there any references where is explains its(Launching our own Help Files through this action task) usage.

Please guide.

Sep 08 2008 by neha.noma
mettlus

how can u redirect port 80 requests to https?

Dec 30 2008 by mettlus
blad3runn69

great kb article thank you. IIS 7.5.7000.0 is way cool. Thank you Microsoft Team for all your help and expertise, always muchly appreciated. :)

Jan 16 2009 by blad3runn69
patfla

I'm trying to apply the WMI vbs script and find that I don't have a WebAdministration object underneath the WMI root.

I'm on Windows Server 2008 R2 (build 7100). IIS is installed and I can bring up the Welcome page at http//MyIpaddress

Jun 25 2009 by patfla
patfla

Well I managed to turn ssl on for the iis server on my local machine by going into Server Manager Roles and adding Network Policy and Access Services.

We have an in-house CA authority whose name I entered at one point and then when the dialogs got more specifically to ssl it asked about (I suppose local) certificates and I indicated a self-generated one.

When you first target the page - https://MyMachineName - you have to indicate that you 'Trust' this cert but then it resolves fine (the same Welcome page that you get with http).

I assume (?) that the local self-generated cert uses the in-house CA authority to validate itself? I wonder if there are tools that would allow me to see just what operations occur with ssl in detail?

I have OpenSSL installed and there may be some good tools there.

Jun 25 2009 by patfla
Aravind_C

KeySet does not exist problem:

In my application, when I tried to open the store (X509Store), it successfully opened but when I examined its various properties it showed me following attributes for a certificate:
HasPrivateKey - true
PrivateKey - threw a CryptographiException with the error message 'KeySet does not exist' . After some research I solved the problem by going to IIS -> selected the certificate -> right click -> All Tasks -> Manage Private Keys -> gave access to "NT SECURITY\NT AUTHORITY"

This article is good but it is missing the above point.

Jul 05 2009 by Aravind_C
sukesh

Article for commandline only certificate install and configuration (for automation)
http://www.awesomeideas.net/post/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx

Aug 29 2009 by sukesh
The Evil Overlord

In PowerShell:

#For help, see: http://learn.iis.net/page.aspx/430/powershell-snap-in-navigating-the-iis-snap-in-namespace/
Add-PSSnapin "WebAdministration";

$SiteName = "Default Web Site";
$SiteBinding = "DNS Entry Here>";
$HttpsPort = 443;

CD IIS:;
CD SslBindings;

#Create a HTTPS binding for your web site
New-WebBinding -Name "$SiteName" -IP "*" -Port $HttpsPort -Protocol https -HostHeader "$SiteName";

#Get the list of certificates installed on your web server
$Certs = Get-ChildItem cert:\LocalMachine\My

#Assuming you have only one, access the Thumbprint
#If more than one, $Certs becomes an array
$Thumbprint = $Certs.Thumbprint;

#Assign the Thumbprint to the IP Address & HTTPS port pair
Get-Item Cert:\LocalMachine\My\$Thumbprint | New-Item 0.0.0.0!$HttpsPort

#Set the web site configuration property to require SSL128
Set-WebConfigurationProperty -PSPath "IIS:\" -Location "$SiteName" -filter /system.webServer/security/access -name sslFlags -value "Ssl,Ssl128"

Sep 10 2009 by The Evil Overlord
Lucifer79

How do you add an SSL certificate with c# using: Microsoft.Web.Administration.dll

Oct 19 2009 by Lucifer79

Submit a Comment

You must Log In to comment.