Solved

APPCMD to enable central certificate store and SNI?

Posted on 2015-02-24
4
466 Views
Last Modified: 2015-03-07
Hello,

I have 6 web servers that we are building for our new production environment and have used appcmd to assign bindings to each of our 300+ websites on one of the servers to test it out.  (needless to say I don't want to manually add bindings one at a time for almost 2000 sites)  I am looking for a way to automate the enabling of the respective "use central certificate store" and "require Server Name Indication" check boxes programatically.  The Appcmd script below works great and I can use the central certificate store and SNI once I have manually enabled the check box for it in the bindings section of IIS 8.

appcmd set site /site.name:"mydomain.com" /+bindings.[protocol='https',bindingInformation='x.x.x.x:443:customer.mydomain.com']

Does anyone know of a command I can add to each line of my script to enable those two check boxes, or of a way to script the enabling of it later in batch?

Thank you
unassigned.png
enabled.png
0
Comment
Question by:bobbailey22
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 40630421
I have half answer I think

appcmd set site "My site name" /bindings:"https://server.domain.com:443"  should take care of centralize certificate store
0
 

Author Comment

by:bobbailey22
ID: 40631216
I will try that command and let you know, it may take some time as I am working offsite today.  Will that enable Server Name Indication as well?
0
 

Accepted Solution

by:
bobbailey22 earned 0 total points
ID: 40640326
Here is the proper way to add bindings using SNI and CCS

How to Configure Bindings in IIS 8 using Server Name Indication(SNI) and Central Certificate Store(CCS).
*This must be done this way to ensure all the necessary registry keys are created.
Located : HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslSniBindingInfo

1: Choose web site in IIS.  Go to Bindings Menu and Add a new binding.
2: Enter the following info:
A.      Type: Http
B.      IP Address: All Unassisgned
C.      Port: 80
D.      HostName: www.temporary.com
3: Click OK to save binding
4: Click Add to add another binding with the following info:
A.      Type: Https
B.      IP Address: All Unassigned
C.      Port 443
D.      hostname: www.temporary.com
E.      Check “Require Server Name Indication” & “Use Centralized Certificate Store”
5: Click OK to save SSL binding.
6: Browse to:  C:\Windows\System32\inetsrv\config on local server.
7:  Open “applicationHost.config” file in notepad
8: Browse to the “<sites>” section and locate the relevant site name: “domain.com”
9: Located the Bindings that you created from the GUI.  Will be in this format:
<binding protocol="https" bindingInformation="*:443:www.temporary.com" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:www.temporary.com" />
10: Remove the host info from the binding so that it now looks like this:
<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:" />
11: Save File and close
12: Open the Bindings menu from IIS and confirm that the host value is now removed.  Restart IIS.
0
 

Author Closing Comment

by:bobbailey22
ID: 40650720
We ended up finding the best solution with the help of one of our technicians.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now