Assigning SSL certificates for WMSVC via PowerShell RRS feed

  • Question

  • User1837019490 posted

    Hello All -

    I just spent a very long time studying the various documentation for scripting SSL certs for WMSVC (Web Deploy). There were some gotcha's in Windows 10 that required some details. I thought I'd contribute my code here so that others working with certs and IIS will lose less hair than I did. :)  This works for IIS 10.0 (Win 2016 Datacenter) but should work on older 2008 R2 systems as well.

    The reason I have this script is to update the SSL cert used when building out VM's from a template.  Once the host is created, you have to create a new Self-signed cert for it so you can deploy to this host using MS Deploy.  This script creates the new cert, copies it into Trusted Root Store.  It then creates the port binding between the cert and all unassigned for port 8172. Lastly, it then assigns the binding to WMSVC in the registry.

    First, I have a simple command file wrapper around the <g class="gr_ gr_21 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="21" data-gr-id="21">powershell</g> which sets up the fully qualified hostname and makes it easier to call from the RunOnce registry. You will probably need to munge this to fit your own environment. 

    set FQHN=%COMPUTERNAME%.<yourdomain>
    powershell -ExecutionPolicy bypass -NonInteractive -NoProfile -command .\createNew.ps1 > createNew_log.txt 2>&1

    And now the <g class="gr_ gr_19 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="19" data-gr-id="19">powershell</g>:

    $FQHN = "$env:FQHN";
    Import-Module WebAdministration
    "Attempting to stop WMSVC..."
    net stop WMSVC
    "Removing unassigned addresses SSl bindings... (ignore errors)"
    Remove-Item -Path IIS:\SslBindings\!8172 
    "Creating new cert in MY..."
    $webServerCert = New-SelfSignedCertificate -Type Custom -DnsName $FQHN  -Subject "CN=$FQHN" -KeySpec "Signature" -KeyUsage @("KeyEncipherment","DataEncipherment") -TextExtension @("{text}") -TestRoot -FriendlyName "$FQHN Self-Signed For MSDEPLOY Agent"  -NotAfter $([datetime]::now.AddYears(5)) -CertStoreLocation Cert:\LocalMachine\My
    "Adding it to Trusted Root Store..."
    $trustedRootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("root","LocalMachine")
    "Creating new bindings with new cert with hash: " + $thumbprint;
    $thumbprint = $webServerCert.Thumbprint
    # Note: the exact appid is required for WMSVC to actually start in IIS 10.0
    netsh http add sslcert ipport="" appid='{d7d72267-fcf9-4424-9eec-7e1d8dcec9a9}' certhash=$thumbprint certstorename=MY
    "Updating Registry pointing WMSVC to new binding"
    $bytes = for($i = 0; $i -lt $thumbprint.Length; $i += 2) {
    	[convert]::ToByte($thumbprint.SubString($i, 2), 16)
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name IPAddress -Value "*";
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name SslCertificateHash -Value $bytes
    "Attempting start of WMSVC..."
    net start WMSVC
    "Setting listener on main IP address for HTTP"
    $ipobj = Get-NetIPAddress -AddressState Preferred -AddressFamily IPv4 -InterfaceAlias "Ethernet0 2"
    netsh http add iplisten $ipobj.IPAddress

    Thursday, February 15, 2018 12:19 AM

All replies

  • User-460007017 posted


    Thanks for sharing your experience.

    Best Regards,

    Yuk Ding

    Friday, February 16, 2018 10:12 AM
  • User419604237 posted

    Wow - thanks so much for that! I've spent a couple days experimenting without success until I found this. I got everything except the registry settings, but it doesn't work without those. 

    Thursday, November 29, 2018 1:55 AM
  • User-2042638547 posted

    Thank you very much.

    I used this script for a failed exchange server 2019 installation on windows server 2019 core.


    Friday, January 17, 2020 10:10 AM
  • User-1523342218 posted

    It helps me a lot to prepare a script to setup Web Deploy when we launch EC2 instance. I just want to mention there is small issue in script for removing old certification on 8172

    #it was using this in script, however it's not working for me and the binding is not delete on network level
    #which make the later step failed to add new binding, so in IIS it's changed, but the binding is actually not effective from network level
    -Item -Path IIS:\SslBindings\!8172

    #So nwo I changed to below script which working fine for me
    netsh http delete sslcert ipport=""

    #I also removed below from script as I don't see it's necessary
    netsh http add iplisten $ipobj.IPAddress

    Wednesday, December 16, 2020 1:43 AM