如何从命令提示符将 SSL 证书分配给 IIS7 站点

发布于 2024-07-14 18:34:01 字数 329 浏览 11 评论 0原文

您能否告诉我是否可以使用 APPCMD 应用程序将 SSL 证书分配给 IIS7 中的网站?

我熟悉设置 HTTPS 绑定的命令

appcmd set site /site.name:"A Site" /+bindings.[protocol='https',bindingInformation='*:443:www.mysite.com']

以及如何获取当前映射,

%windir%\system32\inetsrv\Appcmd

但似乎找不到任何方法将站点映射到证书(例如证书哈希)

Can you advise me whether it is possible or not to assign a SSL Certificate to a website in IIS7 using the APPCMD application?

I am familiar with the command to set the HTTPS Binding

appcmd set site /site.name:"A Site" /+bindings.[protocol='https',bindingInformation='*:443:www.mysite.com']

and how to obtain current mappings

%windir%\system32\inetsrv\Appcmd

but can not seem to find any way to map a site to a certificate (say the certificates hash for example)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

倾城°AllureLove 2024-07-21 18:34:01

答案是使用NETSH。
例如

netsh http add sslcert ipport=0.0.0.0:443 certhash='baf9926b466e8565217b5e6287c97973dcd54874' appid='{ab3c58f7-8316-42e3-bc6e-771d4ce4b201}'

The answer is to use NETSH.
For example

netsh http add sslcert ipport=0.0.0.0:443 certhash='baf9926b466e8565217b5e6287c97973dcd54874' appid='{ab3c58f7-8316-42e3-bc6e-771d4ce4b201}'
自由如风 2024-07-21 18:34:01

这对我帮助很大:Sukesh Ashok Kumar 提供的一个简单指南,用于从命令行为 IIS 设置 SSL。 包括使用 certutil / makecert 导入/生成证书。

http:// /www.awesomeideas.net/post/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx

编辑:如果原始 URL 已关闭,它仍然可用 通过 Wayback Machine

This helped me a lot: a simple guide, by Sukesh Ashok Kumar, to setting up SSL for IIS from the command line. Includes importing/generating the certificate with certutil / makecert.

http://www.awesomeideas.net/post/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx

EDIT: if the original URL is down, it's still available through the Wayback Machine.

南冥有猫 2024-07-21 18:34:01

使用 PowerShell 和 Web 管理模块,您可以执行以下操作将 SSL 证书分配给 IIS 站点:

# ensure you have the IIS module imported
Import-Module WebAdministration

cd IIS:\SslBindings
Get-Item cert:\LocalMachine\My\7ABF581E134280162AFFFC81E62011787B3B19B5 | New-Item 0.0.0.0!443

注意事项...值“7ABF581E134280162AFFFC81E62011787B3B19B5”是要导入的证书的指纹。 所以需要先将其导入到证书存储中。 New-Item cmdlet 接受 IP 地址(所有 IP 均为 0.0.0.0)和端口。

请参阅 http:// learn.iis.net/page.aspx/491/powershell-snap-in-configuring-ssl-with-the-iis-powershell-snap-in/ 了解更多详细信息。

我已在 Windows Server 2008 R2 以及 Windows Server 2012 预发行版中对此进行了测试。

With PowerShell and the WebAdministration module, you can do the following to assign an SSL certificate to an IIS site:

# ensure you have the IIS module imported
Import-Module WebAdministration

cd IIS:\SslBindings
Get-Item cert:\LocalMachine\My\7ABF581E134280162AFFFC81E62011787B3B19B5 | New-Item 0.0.0.0!443

Things to note... the value, "7ABF581E134280162AFFFC81E62011787B3B19B5" is the thumbprint for the certificate you want to import. So it needs to be imported into the certificate store first. The New-Item cmdlet takes in the IP address (0.0.0.0 for all IPs) and the port.

See http://learn.iis.net/page.aspx/491/powershell-snap-in-configuring-ssl-with-the-iis-powershell-snap-in/ for more details.

I've tested this in Windows Server 2008 R2 as well as Windows Server 2012 pre-release.

前事休说 2024-07-21 18:34:01

@David 和@orip 说得对。

不过,我确实想提一下,示例中指定的 ipport 参数 (0.0.0.0:443) 是 MSDN 所说的“未指定地址(IPv4: 0.0.0.0 或 IPv6: [:: ])”。

我去查了一下,所以我想我应该在这里记录一下以节省其他人的时间。 本文重点介绍 SQL Server,但信息仍然相关:

http://msdn .microsoft.com/en-us/library/ms186362.aspx

@David and @orip have it right.

However, I did want to mention that the ipport parameter specified in the example (0.0.0.0:443) is what the MSDN calls the "unspecified address (IPv4: 0.0.0.0 or IPv6: [::])".

I went looking it up, so I figured I'd document here to save someone else the time. This article focuses on SQL Server, but the information is still relevant:

http://msdn.microsoft.com/en-us/library/ms186362.aspx

疧_╮線 2024-07-21 18:34:01

使用这篇文章中的答案,我创建了一个脚本来为我解决问题。 它从 pfx 文件开始,但您可以跳过该步骤。

这里是:

cd C:\Windows\System32\inetsrv

certutil -f -p "pa$word" -importpfx "C:\temp\mycert.pfx"

REM The thumbprint is gained by installing the certificate, going to cert manager > personal, clicking on it, then getting the Thumbprint.
REM Be careful copying the thumbprint. It can add hidden characters, esp at the front.
REM appid can be any valid guid
netsh http add sslcert ipport=0.0.0.0:443 certhash=5de934dc39cme0234098234098dd111111111115 appid={75B2A5EC-5FD8-4B89-A29F-E5D038D5E289}

REM bind to all ip's with no domain. There are plenty of examples with domain binding on the web
appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']

Using the answers from this post, I created a single script that did the trick for me. It starts from the pfx file, but you could skip that step.

Here it is:

cd C:\Windows\System32\inetsrv

certutil -f -p "pa$word" -importpfx "C:\temp\mycert.pfx"

REM The thumbprint is gained by installing the certificate, going to cert manager > personal, clicking on it, then getting the Thumbprint.
REM Be careful copying the thumbprint. It can add hidden characters, esp at the front.
REM appid can be any valid guid
netsh http add sslcert ipport=0.0.0.0:443 certhash=5de934dc39cme0234098234098dd111111111115 appid={75B2A5EC-5FD8-4B89-A29F-E5D038D5E289}

REM bind to all ip's with no domain. There are plenty of examples with domain binding on the web
appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']
合久必婚 2024-07-21 18:34:01

如果您尝试在不使用 MMC 管理单元 GUI 的情况下执行 IIS 管理,则应使用 powershell Web 管理模块。

此博客上的其他答案不适用于更高版本的 Windows Server (2012)

If you're trying to perform IIS Administration without using the MMC snap-in GUI, you should use the powershell WebAdministration module.

The other answers on this blog don't work on later versions of Windows Server (2012)

桃扇骨 2024-07-21 18:34:01

使用 PowerShell + netsh

$certificateName = 'example.com'
$thumbprint = Get-ChildItem -path cert:\LocalMachine\My | where { $_.Subject.StartsWith("CN=$certificateName") } | Select-Object -Expand Thumbprint
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert ipport="0.0.0.0:443" certhash=$thumbprint certstorename=MY appid="$guid"

如果您需要命名绑定,请将 netsh 调用替换为:

netsh http add sslcert hostnameport="$certificateName:443" certhash=$thumbprint certstorename=MY appid="$guid"

Using PowerShell + netsh:

$certificateName = 'example.com'
$thumbprint = Get-ChildItem -path cert:\LocalMachine\My | where { $_.Subject.StartsWith("CN=$certificateName") } | Select-Object -Expand Thumbprint
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert ipport="0.0.0.0:443" certhash=$thumbprint certstorename=MY appid="$guid"

If you need a named binding, replace netsh call with this:

netsh http add sslcert hostnameport="$certificateName:443" certhash=$thumbprint certstorename=MY appid="$guid"
柠檬色的秋千 2024-07-21 18:34:01

使用 IISAdministration 1.1.0.0 (https://www.powershellgallery.com/packages/IISAdministration/ 1.1.0.0)您可以使用以下代码将新的 HTTPS 绑定添加到特定站点:

$thumbPrint = (gci Cert:\localmachine\My | Where-Object { $_.Subject -Like "certSubject*" }).Thumbprint
New-IISSiteBinding -Name "Site Name" -BindingInformation "*:443:" -CertificateThumbPrint $thumbPrint -CertStoreLocation My -Protocol https

查看现有绑定 使用

Get-IISSiteBinding -Name "Site Name"

删除现有绑定

Remove-IISSiteBinding -Name "Site Name" -BindingInformation "*:443:" -Protocol https -Confirm:$False

With IISAdministration 1.1.0.0 (https://www.powershellgallery.com/packages/IISAdministration/1.1.0.0) you can use the following code to add a new HTTPS binding to a specific site:

$thumbPrint = (gci Cert:\localmachine\My | Where-Object { $_.Subject -Like "certSubject*" }).Thumbprint
New-IISSiteBinding -Name "Site Name" -BindingInformation "*:443:" -CertificateThumbPrint $thumbPrint -CertStoreLocation My -Protocol https

View existing bindings with

Get-IISSiteBinding -Name "Site Name"

Remove an existing binding with

Remove-IISSiteBinding -Name "Site Name" -BindingInformation "*:443:" -Protocol https -Confirm:$False
梦屿孤独相伴 2024-07-21 18:34:01

具有一些重入功能:

$securePfxKey=ConvertTo-SecureString -String $mypwd -AsPlainText -Force
Import-PfxCertificate -FilePath MySpector.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $securePfxKey
$mypfx=Get-PfxData -FilePath MySpector.pfx -Password $securePfxKey
$newThumbprint=$mypfx.EndEntityCertificates.Thumbprint
$applicationID="{4dc3e181-e14b-4a21-b022-59fc669b0914}" # hardcode it once
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=$newThumbprint appid=$applicationID

With some re-entrancy capabilities:

$securePfxKey=ConvertTo-SecureString -String $mypwd -AsPlainText -Force
Import-PfxCertificate -FilePath MySpector.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $securePfxKey
$mypfx=Get-PfxData -FilePath MySpector.pfx -Password $securePfxKey
$newThumbprint=$mypfx.EndEntityCertificates.Thumbprint
$applicationID="{4dc3e181-e14b-4a21-b022-59fc669b0914}" # hardcode it once
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=$newThumbprint appid=$applicationID
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文