Assign IIS SSL Certificate to Binding with Host Header using PowerShell
Here is how I was able to generate a self-signed certificate for the machine FQDN and Add the SSL Certificate and Binding.
$fqdn = "$((Get-WmiObject win32_computersystem).DNSHostName).$((Get-WmiObject win32_computersystem).Domain)" $cert=(Get-ChildItem cert:\LocalMachine\My | where-object { $_.Subject -match "CN=$fqdn" } | Select-Object -First 1) if ($cert -eq $null) { $cert = New-SelfSignedCertificate -DnsName $fqdn -CertStoreLocation "Cert:\LocalMachine\My" } $binding = (Get-WebBinding -Name SiteNameHere | where-object {$_.protocol -eq "https"})if($binding -ne $null) { Remove-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn} New-WebBinding -Name SiteNameHere -Port 443 -Protocol https -HostHeader $fqdn (Get-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($cert.Thumbprint, "my")
Based on @ElanHasson's answer, I made this script which will make a self-signed TLS certificate and apply it to a website. It could be tidied a bit, but it works:
Clear-Host$certificateDnsName = 'my.localcert.ssl' # a name you want to give to your certificate (can be anything you want for localhost)$siteName = "Default Web Site" # the website to apply the bindings/cert to (top level, not an application underneath!).$fqdn = "" #fully qualified domain name (empty, or e.g 'contoso.com')# ----------------------------------------------------------------------------------------# SSL CERTIFICATE CREATION# ----------------------------------------------------------------------------------------# create the ssl certificate that will expire in 2 years$newCert = New-SelfSignedCertificate -DnsName $certificateDnsName -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(2)"Certificate Details:`r`n`r`n $newCert"# ----------------------------------------------------------------------------------------# IIS BINDINGS# ----------------------------------------------------------------------------------------$webbindings = Get-WebBinding -Name $siteName$webbindings$hasSsl = $webbindings | Where-Object { $_.protocol -like "*https*" }if($hasSsl){ Write-Output "ERROR: An SSL certificate is already assigned. Please remove it manually before adding this certificate." Write-Output "Alternatively, you could just use that certificate (provided it's recent/secure)."}else{ "Applying TLS/SSL Certificate" New-WebBinding -Name $siteName -Port 443 -Protocol https -HostHeader $fqdn #could add -IPAddress here if needed (and for the get below) (Get-WebBinding -Name $siteName -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($newCert.Thumbprint, "my") "`r`n`r`nNew web bindings" $webbindings = Get-WebBinding -Name $siteName $webbindings}"`r`n`r`nTLS/SSL Assignment Complete"
With fqdn empty (and no -IPAddress
assigned), it will give you this in IIS:
Right now I'm using this approach, which does work:
$guid = [guid]::NewGuid().ToString("B")netsh http add sslcert hostnameport=$Name.domain.com:443 certhash=b58e54ca68c94f93c134c5da00a388ab0642a648 certstorename=MY appid="$guid"