[英]Assign IIS SSL Certificate to Binding with Host Header using PowerShell
我正在嘗試將證書分配給HTTPS綁定。 不幸的是,我從PowerShell收到此錯誤:
new-item : Cannot create a file when that file already exists
At line:3 char:56
+ get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-Item], Win32Exception
+ FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
我執行的PowerShell是:
New-WebBinding -name $Name -Protocol https -HostHeader "$Name.domain.com" -Port 443 -SslFlags 1
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like "*cloud.domain.com*"} | Select-Object -ExpandProperty Thumbprint
get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBindings\0.0.0.0!443!$Name.domain.com
它似乎能夠找到證書,但無法將其分配給創建的綁定。 使用正確的IP / Port / HostHeader創建綁定,檢查SNI,但SSL證書是“未選中”
從IIS管理器一切正常
我嘗試過來自SO和其他網站的各種指示,例如:
http://technet.microsoft.com/en-us/magazine/jj871065.aspx
Powershell IIS7 Snap in將SSL證書分配給https綁定
Powershell - 使用共享證書添加SSL綁定
另外,我試過了
IIS:\SslBindings\0.0.0.0!443!$Name.domain.com
和
IIS:\SslBindings\0.0.0.0!443
證書有一個cloud.domain.com主題和多個SAN屬性,例如**。domain.com *, domain.com ,**。seconddomain.com *, seconddomain.com , cloud.domain.com
編輯:
現在我正在使用這種方法,它確實有效:
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport=$Name.domain.com:443 certhash=b58e54ca68c94f93c134c5da00a388ab0642a648 certstorename=MY appid="$guid"
我仍然對沒有netsh / appcmd的解決方案感興趣
以下是我能夠為機器FQDN生成自簽名證書以及添加SSL證書和綁定的方法。
$fqdn = "$((Get-WmiObject win32_computersystem).DNSHostName).$((Get-WmiObject win32_computersystem).Domain)"
$cert=(Get-ChildItem cert:\LocalMachine\My | where-object { $_.Subject -match "CN=$fqdn" } | Select-Object -First 1)
if ($cert -eq $null) {
$cert = New-SelfSignedCertificate -DnsName $fqdn -CertStoreLocation "Cert:\LocalMachine\My"
}
$binding = (Get-WebBinding -Name SiteNameHere | where-object {$_.protocol -eq "https"})
if($binding -ne $null) {
Remove-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn
}
New-WebBinding -Name SiteNameHere -Port 443 -Protocol https -HostHeader $fqdn
(Get-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($cert.Thumbprint, "my")
現在我正在使用這種方法,它確實有效:
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport=$Name.domain.com:443 certhash=b58e54ca68c94f93c134c5da00a388ab0642a648 certstorename=MY appid="$guid"
基於@ElanHasson的回答,我制作了這個腳本,它將制作一個自簽名的TLS證書並將其應用到網站上。 它可以整理一下,但它有效:
Clear-Host
$certificateDnsName = 'my.localcert.ssl' # a name you want to give to your certificate (can be anything you want for localhost)
$siteName = "Default Web Site" # the website to apply the bindings/cert to (top level, not an application underneath!).
$fqdn = "" #fully qualified domain name (empty, or e.g 'contoso.com')
# ----------------------------------------------------------------------------------------
# SSL CERTIFICATE CREATION
# ----------------------------------------------------------------------------------------
# create the ssl certificate that will expire in 2 years
$newCert = New-SelfSignedCertificate -DnsName $certificateDnsName -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(2)
"Certificate Details:`r`n`r`n $newCert"
# ----------------------------------------------------------------------------------------
# IIS BINDINGS
# ----------------------------------------------------------------------------------------
$webbindings = Get-WebBinding -Name $siteName
$webbindings
$hasSsl = $webbindings | Where-Object { $_.protocol -like "*https*" }
if($hasSsl)
{
Write-Output "ERROR: An SSL certificate is already assigned. Please remove it manually before adding this certificate."
Write-Output "Alternatively, you could just use that certificate (provided it's recent/secure)."
}
else
{
"Applying TLS/SSL Certificate"
New-WebBinding -Name $siteName -Port 443 -Protocol https -HostHeader $fqdn #could add -IPAddress here if needed (and for the get below)
(Get-WebBinding -Name $siteName -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($newCert.Thumbprint, "my")
"`r`n`r`nNew web bindings"
$webbindings = Get-WebBinding -Name $siteName
$webbindings
}
"`r`n`r`nTLS/SSL Assignment Complete"
使用fqdn為空(並且沒有分配-IPAddress ),它將在IIS中為您提供:
我不熟悉IIS,但是錯誤說綁定(文件)已經存在,所以你沒有添加SSL綁定,你似乎正在更新它。 嘗試將-Force添加到New-Item命令。 如果它像文件一樣工作,它應該覆蓋現有的綁定。 喜歡:
New-WebBinding -name $Name -Protocol https -HostHeader "$Name.domain.com" -Port 443 -SslFlags 1
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like "*cloud.domain.com*"} | Select-Object -ExpandProperty Thumbprint
get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBindings\0.0.0.0!443!$Name.domain.com -Force
以下方法對我有用:
在HTTP.sys中添加新的SSL配置后,將新綁定添加到網站,並將SslFlags設置為1,如下所示
$guid = [guid]::NewGuid().ToString("B")
$certHash = (gci Cert:\LocalMachine\My | where {$_.Subject -match "CN\=TestSSLBinding"} | Select -First 1).Thumbprint
netsh http add sslcert hostnameport=TestsslBinding:443 certhash="$certHash" certstorename=MY appid="$guid"
New-WebBinding -Name TestWebsite -Protocol https -Port 443 -HostHeader TestsslBinding -IPAddress 192.168.1.108 -SslFlags 1
我遇到了SNI和powershell的一些問題。 我錯過的一個重要步驟實際上是在證書的導入過程中。 您需要確保證書被標記為“可導出”,否則webadministration模塊將無法與其綁定。
如果你有,那么你的原始腳本應該工作。 雖然,我個人更喜歡使用證書變量而不是指紋。
像這樣:
New-WebBinding -name $Name -Protocol https -HostHeader "$Name.domain.com" -Port 443 -SslFlags 1
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like "*cloud.domain.com*"}
New-Item -Path "IIS:\SslBindings\!443!$Name.domain.com" -Value $cert -SSLFlags 1
new-item:當該文件已存在時,無法創建文件
事先刪除0.0.0.0!443綁定為我解決了這個問題:
Get-Item IIS:\SslBindings\0.0.0.0!443 | Remove-Item
僅供參考:以下是我為使用SNI / SSL主機標頭而沒有顯式IP綁定的網站批量分配通配符證書而制作的Powershell腳本,以及新證書的友好名稱如*.example.com 2019
#SCRIPT FOR ADMIN POWERSHELL TO BULK ASSIGN A WILDCARD SSL CERTIFICATE TO ONE OR MORE WEBSITES USING SSL HOST HEADERS WITHOUT EXPLICIT IPS
# —————————————————————————————
# User Configurable Variables:
# —————————————————————————————
$wildcardDomain="*.example.com"; # This string should be present in the friendly name of the new SSL certificate
$yearMatchingNewCert="2019"; # This string should be UNIQUELY present in the friendly name of the new SSL certificate
# Make the IIS: drive available
Import-Module WebAdministration;
# —————————————————————————————
# Auto-Determine the certificate store to use from the usual 'My' or 'WebHosting' locations
# —————————————————————————————
$certInWebHostingStore=dir Cert:\localmachine\WebHosting | where-Object {$_.subject -like "$wildcardDomain*"};
$certInPersonalStore=dir Cert:\localmachine\My | where-Object {$_.subject -like "$wildcardDomain*"};
if ($certInWebHostingStore) {$certStoreDir="WebHosting"} elseif ($certInPersonalStore) {$certStoreDir="My"} else {$certStoreDir=null};
$certStorePath="\localmachine\$certStoreDir";
echo "███ The NEW certificate is living in this store: $certStorePath";
# —————————————————————————————
# Get the Thumbprint of the NEW certificate
# —————————————————————————————
$certThumbHashNew=Get-ChildItem -Path Cert:$certStorePath | where-Object {$_.subject -like "$wildcardDomain*" -and $_.FriendlyName -like "*$yearMatchingNewCert*"} | Select-Object -ExpandProperty Thumbprint;
echo "███ The NEW certificate's thumbprint hash is: $certThumbHashNew"; # If this displays as empty then you have either not installed the certificate, it's not in the usual Certificate stores or the certificate friendly name doesn't match the pattern "*.example.com 2019" e.g. "*.example.com (2018-2021)"
# —————————————————————————————
# Display the existing bindings
# —————————————————————————————
#Dir IIS:\SslBindings; # Shows all bindings
#Dir IIS:\SslBindings\!443!*; # Shows all port 443 bindings
Dir IIS:\SslBindings\!443!$wildcardDomain; # Shows all bindings in use matching the wildcard certificate
# —————————————————————————————
# Remove the Existing Bindings
# —————————————————————————————
# NOTE: SNI settings are in the Registry if all else fails: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HTTP\Parameters\SslSniBindingInfo
Get-Item IIS:\SslBindings\!443!$wildcardDomain | Remove-Item;
# —————————————————————————————
# Add the New Bindings
# —————————————————————————————
Get-Item -Path "cert:$certStorePath\$certThumbHashNew" | New-Item -Path IIS:\SslBindings\!443!$wildcardDomain;
# —————————————————————————————
# The IIS Manager doesn't seem to update its GUI without this bit
# —————————————————————————————
#(Get-WebBinding -Port 443 -Protocol "https" -HostHeader $wildcardDomain).RemoveSslCertificate($certThumbHashNew, $certStoreDir);
(Get-WebBinding -Port 443 -Protocol "https" -HostHeader $wildcardDomain).AddSslCertificate($certThumbHashNew, $certStoreDir);
奇怪的是,在獲得新的控制台會話之前,查看PowerShell中的更改(列出綁定)不會顯示更改,因此請關閉並重新打開Admin PowerShell窗口。
# —————————————————————————————
# User Configurable Variables:
# —————————————————————————————
$wildcardDomain="*.example.com";
# —————————————————————————————
# Make the IIS: drive available
Import-Module WebAdministration;
# —————————————————————————————
# Display the new bindings
# —————————————————————————————
Dir IIS:\SslBindings\!443!$wildcardDomain
# —————————————————————————————
# Troubleshooting
# —————————————————————————————
# If things go awry, the 0.0.0.0 address usually seems to be at fault, particularly if the error is "New-Item : Cannot create a file when that file already exists"
# To remove it follow these steps, then start over with the previous script again:
# View all the port 443 bindings, not just the ones matching our wilcard:
#Dir IIS:\SslBindings\!443!*
# If the 0.0.0.0 binding shows in the list then use this to drop it:
#Get-Item IIS:\SslBindings\0.0.0.0!443 | Remove-Item
用於制作此腳本的參考:
Powershell IIS7 Snap in將SSL證書分配給https綁定
[英]Powershell IIS7 Snap in Assign SSL certificate to https binding
將主機頭名稱應用於IIS中站點的現有綁定的powershell腳本
[英]powershell script to apply host header name to an existing binding of a site in IIS
如何使用PowerShell將創建的證書添加到IIS https綁定
[英]How to add created certificate to an IIS https binding using PowerShell
如何在 PowerShell 中檢索 IIS 網站的 SSL 證書
[英]How to retrieve SSL certificate of an IIS website in PowerShell
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.