• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 703
  • Last Modified:

APPCMD to enable central certificate store and SNI?

Hello,

I have 6 web servers that we are building for our new production environment and have used appcmd to assign bindings to each of our 300+ websites on one of the servers to test it out.  (needless to say I don't want to manually add bindings one at a time for almost 2000 sites)  I am looking for a way to automate the enabling of the respective "use central certificate store" and "require Server Name Indication" check boxes programatically.  The Appcmd script below works great and I can use the central certificate store and SNI once I have manually enabled the check box for it in the bindings section of IIS 8.

appcmd set site /site.name:"mydomain.com" /+bindings.[protocol='https',bindingInformation='x.x.x.x:443:customer.mydomain.com']

Does anyone know of a command I can add to each line of my script to enable those two check boxes, or of a way to script the enabling of it later in batch?

Thank you
unassigned.png
enabled.png
0
bobbailey22
Asked:
bobbailey22
  • 3
1 Solution
 
MaheshArchitectCommented:
I have half answer I think

appcmd set site "My site name" /bindings:"https://server.domain.com:443"  should take care of centralize certificate store
0
 
bobbailey22Author Commented:
I will try that command and let you know, it may take some time as I am working offsite today.  Will that enable Server Name Indication as well?
0
 
bobbailey22Author Commented:
Here is the proper way to add bindings using SNI and CCS

How to Configure Bindings in IIS 8 using Server Name Indication(SNI) and Central Certificate Store(CCS).
*This must be done this way to ensure all the necessary registry keys are created.
Located : HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslSniBindingInfo

1: Choose web site in IIS.  Go to Bindings Menu and Add a new binding.
2: Enter the following info:
A.      Type: Http
B.      IP Address: All Unassisgned
C.      Port: 80
D.      HostName: www.temporary.com
3: Click OK to save binding
4: Click Add to add another binding with the following info:
A.      Type: Https
B.      IP Address: All Unassigned
C.      Port 443
D.      hostname: www.temporary.com
E.      Check “Require Server Name Indication” & “Use Centralized Certificate Store”
5: Click OK to save SSL binding.
6: Browse to:  C:\Windows\System32\inetsrv\config on local server.
7:  Open “applicationHost.config” file in notepad
8: Browse to the “<sites>” section and locate the relevant site name: “domain.com”
9: Located the Bindings that you created from the GUI.  Will be in this format:
<binding protocol="https" bindingInformation="*:443:www.temporary.com" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:www.temporary.com" />
10: Remove the host info from the binding so that it now looks like this:
<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:" />
11: Save File and close
12: Open the Bindings menu from IIS and confirm that the host value is now removed.  Restart IIS.
0
 
bobbailey22Author Commented:
We ended up finding the best solution with the help of one of our technicians.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now