Importing PFX SSL certificate to IIS with PowerShell script

Since Google announced HTTPS as ranking signal most of the websites now days are switching to secured communication via SSL certificates. Even I switched my website to HTTPS secured connection to follow up with this new trend.

Using certificate on the website is related to domain binding, but even before we setup the domain binding for the website, we need to import the certificate to IIS. This can be easily to with PowerShell cmdlet Import-PfxCertificate.

Note cmdlet Import-PfxCertificate is available starting from PowerShell 4. In case you have older POwerShell version installed, please consider upgrading PowerShell version https://www.microsoft.com/en-us/download/details.aspx?id=40855

Installing SSL cerificate to IIS

In case you have your certificate in a different format which is not PFX/PKC12 format you can follow instructions from article Exporting SSL certificate to PFX format for using on IIS or Azure and get your SSL certificate in PFX/PKC12 format.

$certPath = "c:\temp\my-domain.com.pfx" $certPass = "pass123" $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $pfx.Import($certPath,$certPass,"Exportable,PersistKeySet") $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("WebHosting","LocalMachine") $store.Open("ReadWrite") $store.Add($pfx) $store.Close() $certThumbprint = $pfx.Thumbprint

After running this PowerShell script, you will have the SSL certificate installed and ready to use. You can open Internet Information services (IIS) Manager and open Server Certificates section and you should have the certificate listed.

Now when we have SSL certificate installed on IIS, we need to setup the binding for the website on IIS.

Setting up HTTPS binding to use SSL certificate

In the script above you can see that we have $certThumbprint variable which we need for setting up HTTPS binding. Depending whether we use the import certificate script snipet as a part of our final script or we want to execute it separately, we need this variable or we fetch it after-words.

$thumbprints = Get-ChildItem -path cert:\LocalMachine\WebHosting $certThumbprint = $thumbprints[0]

Since we need to setup the website and binding for it in order to use the SSL certificate over HTTPS, we can reuse PowerShell script from the article Setting up IIS ASP.NET WebApplication using PowerShell which is handling both website setup and bindings and do some slight modifications to involve HTTPS bindings with SSL certificate.

Import-Module WebAdministration $iisAppPoolName = "temp" $iisAppPoolDotNetVersion = "v4.0" $iisWebsiteFolderPath = "C:\temp" $iisWebsiteName = "temp" $thumbprints = Get-ChildItem -path cert:\LocalMachine\WebHosting $iisWebsiteBindings = @( @{protocol="http";bindingInformation="*:80:temp1.com"}, @{protocol="http";bindingInformation="*:80:temp2.com"}, @{protocol="https";bindingInformation="*:443:my-domain.com";hostHeader="my-domain.com";SSLFlags=1} ) if (!(Test-Path IIS:\AppPools\$iisAppPoolName -pathType container)) { New-Item IIS:\AppPools\$iisAppPoolName Set-ItemProperty IIS:\AppPools\$iisAppPoolName -name "managedRuntimeVersion" -value $iisAppPoolDotNetVersion } if (!(Test-Path IIS:\Sites\$iisWebsiteName -pathType container)) { New-Item IIS:\Sites\$iisWebsiteName -bindings $iisWebsiteBindings -physicalPath $iisWebsiteFolderPath Set-ItemProperty IIS:\Sites\$iisWebsiteName -name applicationPool -value $iisAppPoolName (Get-WebBinding -Name $iisWebsiteName -Port 443 -Protocol "https").AddSslCertificate($thumbprints[0].Thumbprint, "WebHosting") }

You can see that there is one more binding added to array of bindings and there is a special condition to find that binding upon creating (based on protocol and port) and assign the certificate to the proper binding.

References

Disclaimer

Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.