none
New-WebBinding syntax to add SSL binding to specific IIS Web Site RRS feed

  • Question

  • I can't figure out what I'm doing wrong -- to be fair to myself the online support "New-Item" is pretty poor but I am new to this.

    I'm trying to add an SSL binding to 1 of 3 web sites.  The script below works but it doesn't add the binding to the Host/Site that

    I want.  What is the syntax to specify host name and site.

    Here's the script I'm using

    write-host "Delete binding"
    Get-WebBinding -Port 443 -Name "IdentityServer" | Remove-WebBinding
    write-host "create new binding"
    New-WebBinding -name "IdentityServer" -Protocol https -HostHeader "Identity-dev.acme.com" -Port 443 -SslFlags 1
    $cert = Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like "*acme.com*"} | Select-Object -ExpandProperty Thumbprint
    cd IIS:\SslBindings
    get-item -Path "cert:\localmachine\my\$cert" | New-Item 0.0.0.0!443!Identity-dev.acme.com

    The result from the IIS:\SslBindings folder (not what I want):

    IP Address          Port   Host Name        Store            Sites                           
    ----------          ----   ---------        -----            -----                           
    0.0.0.0             443                     my  

    The result I'm looking for:

    IP Address          Port   Host Name         Store         Sites                           
    ----------          ----   ---------         -----          -----                           
    0.0.0.0             443     Identity-dev.acme.com     my   IdentityServer

    Thanks,

    Tim

    Wednesday, March 4, 2015 10:06 PM

Answers

  • I finally figured it out.  Two points -Thumbprint parameter option was required for me scenario and the "*" fo for the IPAddress was required. Here's the line of script to fix this

    New-Item -Path "IIS:\SslBindings\*!443!recruitdev.smashfly.com" -Thumbprint $certificate -SSLFlags 1

    Thanks all,

    • Marked as answer by Timhenn Wednesday, March 18, 2015 10:16 PM
    Wednesday, March 18, 2015 10:16 PM

All replies

  • Hi Tim,

    Please also provide the IIS version.

    Based on my research, you need to run IIS 8.0, because without SNI you cannot have host name headers for SSL, and this article is for your reference:

    A subtle difference between IIS 7.5 and IIS 8 when creating an SSL binding with PowerShell

    If you are running on IIS 8.0, please refer to the script below:

    # Import IIS Management PowerShell Module
    Import-Module WebAdministration
    $hostHeader = "test.com"
    
    New-WebBinding -Name "Test Website" -Protocol "https" -Port 443 -HostHeader $hostHeader -SslFlags 1
    #The name specified would be the name of the web site you’d like to add the binding to.  
    #The protocol and port are standard for SSL bindings. The host header is the URL you’d like the web site to respond to.  Finally, SslFlags with a value of 1 enables SNI for this binding.
    
    $certificate = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.FriendlyName -eq "Test Cert"}
    
    New-Item -Path "IIS:\SslBindings\!443!test.com" -Value $certificate -SSLFlags 1

    Refer to:

    An Overview of Server Name Indication (SNI) and Creating an IIS SNI Web SSL Binding Using PowerShell in Windows Server 2012

    If there is anything else regarding this issue, please feel free to post back.

    If you have any feedback on our support, please click here.

    Best Regards,

    Anna Wang

    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, March 5, 2015 12:01 PM
    Moderator
  • Hi Tim,

    I’m writing to just check in to see if the suggestions were helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.

    If you have any feedback on our support, please click here.

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, March 12, 2015 10:12 AM
    Moderator
  • Sorry for the delay, I didn't get an email indicating there was a response.  I am using IIS 8 on server 2012.  I tried your version of the script which I'm showing below (changed the domain name for privacy)

    Import-Module WebAdministration
    $hostHeader = "recruitdev.acme.com"

    New-WebBinding -Name "Recruit" -Protocol "https" -Port 443 -HostHeader $hostHeader -SslFlags 1
    #The name specified would be the name of the web site you’d like to add the binding to.  
    #The protocol and port are standard for SSL bindings. The host header is the URL you’d like the web site to respond to.  Finally, SslFlags with a value of 1 enables SNI for this binding.

    $certificate = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.subject -like "*acme.com*"} | Select-Object -ExpandProperty Thumbprint

    New-Item -Path "IIS:\SslBindings\!443!recruit.acme.com" -Value $certificate -SSLFlags 1

    When I run the script I get an error on the New-Item line

    New-Item : The parameter is incorrect
    At C:\temp\BindingScriptV2.ps1:10 char:1
    + New-Item -Path "IIS:\SslBindings\!443!recruit.acme.com" -Value $certificate  ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [New-Item], Win32Exception
        + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.N 
       ewItemCommand

    I followed your script syntax for new-item but it still doesn't like it.  WHat's wrong with this??

    Thanks!

    Tuesday, March 17, 2015 1:45 PM
  • cd IIS:\SslBindings
    $certificate | New-Item  0.0.0.0:443

    SSL cert is bound to the whole web


    ¯\_(ツ)_/¯

    Tuesday, March 17, 2015 3:32 PM
    Moderator
  • Nope, that doesn't work either if I understood it correctly.  I tried

    #New-Item -Path "IIS:\SslBindings\!443!recruit.acme.com" -Value $certificate -SSLFlags 1
    CD "IIS:\SslBindings"
    $certificate | New-Item 0.0.0.0:443!recruit.acme.com

    And got:

    New-Item : Cannot find drive. A drive with the name '0.0.0.0' does not exist.
    At C:\temp\BindingScriptV2.ps1:12 char:16
    + $certificate | New-Item 0.0.0.0:443!recruit.smashfly.com
    +                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (0.0.0.0:String) [New-Item], DriveNotFoundException
        + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.NewItemCommand

    Tuesday, March 17, 2015 8:07 PM
  • This is what I posted

    cd IIS:\SslBindings
    $certificate | New-Item  0.0.0.0:443

    You changed it.  Of course it won't work.


    ¯\_(ツ)_/¯

    Tuesday, March 17, 2015 11:03 PM
    Moderator
  • Maybe you could explain how that will add a host header recruit.acme.com to web site 'recruit'?  If you read my original post ...this is *not* what I want:
    IP Address          Port   Host Name        Store            Sites                           
    ----------          ----   ---------        -----            -----                           
    0.0.0.0             443                     my  

    The result I'm looking for:

    IP Address          Port   Host Name            Store         Sites                           
    0.0.0.0             443     recruit.acme.com        my       Recruit


    Wednesday, March 18, 2015 12:35 AM
  • Cert is bound to the server and header is bound to IP and port.  Which is it that you want too do?


    ¯\_(ツ)_/¯

    Wednesday, March 18, 2015 1:03 AM
    Moderator
  • New-WebBinding -HostHeader hostheader -Name websitename -Protocol http(-Port 443 )

    HELP: https://technet.microsoft.com/en-us/library/hh867854.aspx?f=255&MSPPError=-2147217396


    ¯\_(ツ)_/¯

    Wednesday, March 18, 2015 1:06 AM
    Moderator
  • Use this to help understand how this works: https://technet.microsoft.com/en-us/library/hh867866.aspx


    ¯\_(ツ)_/¯

    Wednesday, March 18, 2015 1:08 AM
    Moderator
  • I finally figured it out.  Two points -Thumbprint parameter option was required for me scenario and the "*" fo for the IPAddress was required. Here's the line of script to fix this

    New-Item -Path "IIS:\SslBindings\*!443!recruitdev.smashfly.com" -Thumbprint $certificate -SSLFlags 1

    Thanks all,

    • Marked as answer by Timhenn Wednesday, March 18, 2015 10:16 PM
    Wednesday, March 18, 2015 10:16 PM
  • Hi Tim,

    Thanks for sharing the solution =)


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, March 19, 2015 1:16 AM
    Moderator