How do I set the IIS 10.0 Management Service SSL Certificate via a Powershell script to allow Web Deploy?

Question

When I run windows updates and sysprep my Amazon EC2 instance (Windows Server 2016), I have to create a new self-signed certificate. I can then select the SSL certificate (I named it WebDeploy) in the Management Service screen. I have figured out how to create the SSL certificate from Windows Powershell, but I have to select the SSL Certificate from the dropdown in the screenshot. How can I set that SSL certificate from a command line?

Here's what I tried that did not work - I was able to avoid errors, but none of them allowed the WebDeploy to work without me going into the IIS Manager screen and manually selecting the dropdown.

Stop-Service wmsvc
$strGuid = New-Guid
Import-Module WebAdministration
Remove-Item -Path IIS:\SslBindings\0.0.0.0!8172
Get-Item -Path  "cert:\localmachine\my\$strHashThumbprint" | New-Item -Path 
IIS:\SslBindings\0.0.0.0!8172 
Start-Service wmsvc

And also, this didn't work:

Stop-Service wmsvc
netsh http delete sslcert ipport=0.0.0.0:8172
netsh http add sslcert ipport=0.0.0.0:8172 certhash=$strHashThumbprint appid=`{$strGuid`} certstorename="MY" sslctlstorename="MY"
Start-Service wmsvc

And finally, this didn't work:

Stop-Service wmsvc
Add-NetIPHttpsCertBinding -IpPort "0.0.0.0:8172" -CertificateHash $strHash -CertificateStoreName "My" -ApplicationId "{$strGuid}" -NullEncryption $false 
Start-Service wmsvc

Answer 1

I finally found the answer at https://forums.iis.net/t/1238001.aspx

I'm not sure if the trusted root store part is needed or not - everything seems to work without that, but I'm very confident the registry keys need to be updated. That was the key to getting this working.

The full script:

# Delete any existing certificates
Set-Location -Path "cert:\LocalMachine\My"
Get-ChildItem -Path "cert:\LocalMachine\My" | Remove-Item

#Create the new certificate
$strNewCertficate = New-SelfSignedCertificate -FriendlyName "WebDeploy" -DnsName "yoursite.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter $([datetime]::now.AddYears(5))
$strHashThumbprint = $strNewCertficate.Thumbprint

#add it to the trusted root store
$trustedRootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("root","LocalMachine")
$trustedRootStore.open("ReadWrite");
$trustedRootStore.add($strNewCertficate);

#Use the new certificate
Stop-Service wmsvc
$strGuid = New-Guid
netsh http delete sslcert ipport=0.0.0.0:8172
netsh http add sslcert ipport=0.0.0.0:8172 certhash=$strHashThumbprint appid=`{$strGuid`} certstorename="MY"

#convert thumbprint to bytes and update registry
$bytes = for($i = 0; $i -lt $strHashThumbprint.Length; $i += 2) { [convert]::ToByte($strHashThumbprint.SubString($i, 2), 16) }
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name IPAddress -Value "*";
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name SslCertificateHash -Value $bytes
Start-Service wmsvc

Answer 2

IIS version notwithstanding, this question appears to be very similar to...

How to assign an different SSL certificate for the IIS7+ Management Service on Server-Core?

# get the thumbprint for the certificate we want to use:
$thumb = (Get-ChildItem cert:\LocalMachine\MY | where-object { $_.FriendlyName -eq   "www.stackoverflow.com" } | Select-Object -First 1).Thumbprint
# get a new guid:
$guid = [guid]::NewGuid()

# remove the self-signed certificate:
& netsh http delete sslcert ipport=0.0.0.0:8172
# add the 'proper' certificate:
& netsh http add sslcert ipport=0.0.0.0:8172 certhash=$thumb appid=`{$guid`}