Register a https binding with SNI enabled in IIS 8 with PowerShell Script

If as you say the certificate is already installed and the application pool identity has permission to the private key then you should be able to register a new binding like this:

New-WebBinding -Name $WebsiteName -Protocol "https" -Port 443 -IPAddress $IPAddress -HostHeader $HostHeader -SslFlags $sslFlags

You will of course need to set the variables before running this code however these should be self-explanatory.

When setting the value of the $sslFlags variable this should be set according to the following table:

0  No SNI1  SNI Enabled2  Non SNI binding which uses Central Certificate Store.3  SNI binding which uses Central Certificate store

In your case this should be set to 1 since you are not using the central certificate store.

Once you have got the SSL binding in place you then need to associate the binding with the correct certificate. I have found through experience that the easiest way to do this is to use the netsh.exe command. It is possible to use Powershell directly however after many hours of investigating and addressing different problems I found netsh just more reliable.

The syntax here depends on how the binding is going to be setup however if you are using SNI then you will need the following syntax: (don't worry about the appid, it is not important what the value is)

netsh http add sslcert hostnameport=$($HostHeader):$($Port) certhash=$Thumbprint appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY

This code also requires variables to be set. Host header should be the DNS name your website is bound to, port will most likely be 443 and the variable $Thumbprint needs to contain the thumbprint or the hash of the certificate you are going to be using. You can find this using the certificate provider as in this code:

$Thumbprint = (Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.GetNameInfo("SimpleName",$false) -eq "my cert common name"}).Thumbprint

Hope this helps, if you need any more help then update the question. I have done a lot of work in this area.

If you do not want to use Netsh, you can also add an SNI Binding (with the "Require Server Name Indication" flag set!) only using Powershell.

Here is the most simple approach i could find for IIS8:

# Parameters:$WebsiteName = "Your Site Name" # this is the Sites name as displayed in IIS Manager$port = 443 # SSL Port, when using SNI most likely the default port 443$hostHeader = "www.example.com" # the domain / host-header this binding should listen for$thumbprint = "AAABBBCCCDDDEEEFFF000111222333444555666" # the certificate thumbprint# Commands:New-Item -Path "IIS:\SslBindings\!$port!$hostHeader" -Thumbprint $thumbprint -SSLFlags 1New-WebBinding -Name $WebsiteName -Protocol "https" -Port $port -HostHeader $hostHeader -SslFlags 1

Hope this helps someone! :-)

There's actually a method on the binding object to add an SSL which seems to work better than both of the above options

$Name = ''$IP = ''$HostHeader = ''#ymmv here. if host header doesnt match subject name you need to adjust how you're getting the cert$Cert = (gci cert:\LocalMachine\My) | ? { ( ($_.Subject | SLS '^(?:CN=)(.*?)(?=,)').matches.groups.value[-1]) -eq $HostHeader}New-WebBinding -Name $Name -Protocol 'https' -Port 443 -IPAddress $IP -HostHeader $HostHeader -SslFlags 1$NewBinding = get-webbinding -hostheader $HostHeader -protocol https$NewBinding.AddSSLCertificate("$($cert.getcerthashstring())","MY")