To enable SSL three steps are involved:

1. Acquiring and installing a certificate
2. Creating an SSL binding in IIS 
3. Assigning the certificate to the IP:Port of the IIS binding

and optionally:

• Enforcing SSL on your web-site

Acquiring and Installing a Certificate

Acquiring certificates is a tricky business. The users of your web-site have to trust the certificate and that's why you have to get it from a trusted Certificate Authority. For testing purposes you can make your own certificate however. For this walkthrough we will use a so-called self-signed certificate. The tool that helps us creating a self-signed certificate is called MAKECERT and is part of the Visual Studio SDK Tools. The following MAKECERT command will create a self-signed certificate and automatically install it in the "my" Windows Certificate Store:

You can look at the certificates in the certificate store using the certificate provider:

Note: Your certificate thumbprint will be different!

Now lets use the IIS PowerShell Snap-in to create an SSL binding and associate it with the certificate we just created

Creating an SSL Binding

We are adding the SSL binding to the Default Web Site using one of the task-based cmdlets called New-WebBinding:

Assigning the Certificate to the IP:Port of the IIS Binding

Now it gets a bit tricky because SSL settings get stored in the HTTP.SYS configuration store and the naming conventions are a bit different.

1. In HTTP.SYS you have to use 0.0.0.0 to specify all IP addresses; in IIS you use an asterisk (*).
2. In IIS you use ":" to separate the binding. Because PowerShell sees a colon as a drive indicator an exclamation mark is used instead:

You can CD into the IIS:\SslBindings directory and query the existing SSL bindings. The directory will be empty on an IIS default install:

Now you can use the certificate hash we got in step one and associate it with all IP addresses (0.0.0.0) and the SSL port 443:

The previous command generated the following SSL Binding:

Comments

Uhm... and what about SSL enforcement? Is it possible to change user certificate parameters (don't require / accept / request). And what about configuring SSL per-application, not per site.

Oct 03 2008 by 13xforever

How does one associate the certificate when using IPv6? The equivalent of "0.0.0.0" would be "::", so my initial guess would be ".. | new-item [::]!443".

Mar 24 2009 by Chaz6

Great stuff, thanks for sharing.

The '-Site' in

New-WebBinding -Site "Default Web Site" -IP "*" -Port 443 -Protocol https

when creating binding kept throwing an error. I removed that switch and it work like a champ!

Thanks again.

Apr 15 2009 by sonnyr

The missing link: Enforcement

In PowerShell:

Add-PSSnapin "WebAdministration";

$SiteName = "Default Web Site";
$SiteBinding = "~DNS Entry Here~";
$HttpsPort = 443;

CD IIS:;
CD SslBindings;

#Create a HTTPS binding for your web site
New-WebBinding -Name "$SiteName" -IP "*" -Port $HttpsPort -Protocol https -HostHeader "$SiteName";

#Get the list of certificates installed on your web server
$Certs = Get-ChildItem cert:\LocalMachine\My

#Assuming you have only one, access the Thumbprint
#If more than one, $Certs becomes an array
$Thumbprint = $Certs.Thumbprint;

#Assign the Thumbprint to the IP Address & HTTPS port pair
Get-Item Cert:\LocalMachine\My\$Thumbprint | New-Item 0.0.0.0!$HttpsPort

#Set the web site configuration property to require (enforce) SSL128
Set-WebConfigurationProperty -PSPath "IIS:\" -Location "$SiteName" -filter /system.webServer/security/access -name sslFlags -value "Ssl,Ssl128"

Sep 10 2009 by The Evil Overlord

You must Log In to comment.