Solved

APPCMD to enable central certificate store and SNI?

Posted on 2015-02-24
4
504 Views
Last Modified: 2015-03-07
Hello,

I have 6 web servers that we are building for our new production environment and have used appcmd to assign bindings to each of our 300+ websites on one of the servers to test it out.  (needless to say I don't want to manually add bindings one at a time for almost 2000 sites)  I am looking for a way to automate the enabling of the respective "use central certificate store" and "require Server Name Indication" check boxes programatically.  The Appcmd script below works great and I can use the central certificate store and SNI once I have manually enabled the check box for it in the bindings section of IIS 8.

appcmd set site /site.name:"mydomain.com" /+bindings.[protocol='https',bindingInformation='x.x.x.x:443:customer.mydomain.com']

Does anyone know of a command I can add to each line of my script to enable those two check boxes, or of a way to script the enabling of it later in batch?

Thank you
unassigned.png
enabled.png
0
Comment
Question by:bobbailey22
  • 3
4 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 40630421
I have half answer I think

appcmd set site "My site name" /bindings:"https://server.domain.com:443"  should take care of centralize certificate store
0
 

Author Comment

by:bobbailey22
ID: 40631216
I will try that command and let you know, it may take some time as I am working offsite today.  Will that enable Server Name Indication as well?
0
 

Accepted Solution

by:
bobbailey22 earned 0 total points
ID: 40640326
Here is the proper way to add bindings using SNI and CCS

How to Configure Bindings in IIS 8 using Server Name Indication(SNI) and Central Certificate Store(CCS).
*This must be done this way to ensure all the necessary registry keys are created.
Located : HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslSniBindingInfo

1: Choose web site in IIS.  Go to Bindings Menu and Add a new binding.
2: Enter the following info:
A.      Type: Http
B.      IP Address: All Unassisgned
C.      Port: 80
D.      HostName: www.temporary.com
3: Click OK to save binding
4: Click Add to add another binding with the following info:
A.      Type: Https
B.      IP Address: All Unassigned
C.      Port 443
D.      hostname: www.temporary.com
E.      Check “Require Server Name Indication” & “Use Centralized Certificate Store”
5: Click OK to save SSL binding.
6: Browse to:  C:\Windows\System32\inetsrv\config on local server.
7:  Open “applicationHost.config” file in notepad
8: Browse to the “<sites>” section and locate the relevant site name: “domain.com”
9: Located the Bindings that you created from the GUI.  Will be in this format:
<binding protocol="https" bindingInformation="*:443:www.temporary.com" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:www.temporary.com" />
10: Remove the host info from the binding so that it now looks like this:
<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
<binding protocol="http" bindingInformation="*:80:" />
11: Save File and close
12: Open the Bindings menu from IIS and confirm that the host value is now removed.  Restart IIS.
0
 

Author Closing Comment

by:bobbailey22
ID: 40650720
We ended up finding the best solution with the help of one of our technicians.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question