How to Configure SSL Certificate on IIS with PowerShell?

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...
Configure SSL on IIS with PowerShell

Steps to Configure SSL on IIS with PowerShell

Below are the steps to configure ssl on IIS using powershell:

1. Create a Self-signed Certificate

Generating a certificate via the self-signed method involves creation of a digital certificate not associated with any certificate authority (CA).

Recommended: Creating Self-Signed SSL Certificate in Powershell

Certificates that are self-signed are typically used for validation purposes or for internal organizational functions which cannot justify the cost or complexity of procuring certificates from a CA.

Below is a detailed explanation of how to create a self-signed certificate using PowerShell:

Step 1: Open PowerShell

Ensure that you are using a local administrator account and PowerShell window must be opened with an admin rights level.

Step 2: Invoke New-SelfSignedCertificate Cmdlet

The command New-SelfSignedCertificate will be used to generate self-signed certificates.

$Cert = New-SelfSignedCertificate `
            -dnsName "<Server FQDN>" `
            -CertStoreLocation cert:\LocalMachine\My`
            -KeyLength 2048 `
            -NotAfter (Get-Date).AddYears(1)

Here’s a breakdown of the parameters used:

  • dnsName “<Server FQDN>”: Ensures whether your server is set up by the correct fully qualified domain name (FQDN). Put in place the exact FQDN of your server instead of <Server FQDN>.
  • CertStoreLocation cert:config=MachineKey: Defines the certificate store in which the certificate will be stored as specified by the LocalMachine\My. In this case, it’s a personal certificate store—My—locally on the machine’s certificate store.
  • KeyLength 2048: Indicates the length of the YubiKey pair that should be designed. Here, the 2048-bit key setting is used which is the state-of-the-art suite for most of the current protection schemes.
  • NotAfter (Get-Date).AddYears(1): Allows for restricting the use of the certificate to the issued duration. Here, the certificate is scheduled to lapse in exactly one year and one day from the current date. Adjust expiration date, if needed.

Step 3: Certificate Generation

After you execute the command, PowerShell shall create a self-signed certificate per the supplied parameters. It will place the respective certificate data such as thumbprint, subject, issuer and expiry date.

Step 4: Certificate Installation

Thus, it will be installed in the personal store of a machine certificate locally (My). You can confirm the installation of the certificate by opening the Certificate Manager (certmgr.msc) defining the path to “Personal > Certificates”.

Step 5: Certificate Export (Optional)

Rather than importing it into the Certificate Manager and using it there with its private key, export it as a .pfx file with its private key and use it wherever required.

2. Create an SSL binding (bind ssl certificate IIS powershell)

Step 1: Use New-WebBinding Cmdlet

Establish the new web-ssl binding via the New-WebBinding command. This cmdlet lets you specify the web site or web application, HTTPS protocol, wherein port 443 is commonly used for HTTPS.

New-WebBinding `
            -Name "Default Web Site" `
            -protocol https `
            -port 443

In this example:

  • Name “Default Web Site”: This option indicates the target’s name/Id of the website or web application over which the SSL is to be implemented. In place of the “Default Web Site” name, you should use the title of your website or app.
  • Protocol https: Describe the SSL/TLS handshake and detail the HTTPS protocol the server fetches in our instance.
  • Port 443: Sets a port number for developing HTTPS applications. Traditionally only port 443 is used for SSL and TLS, UDP, as well as TCP communication.

Step 2: Binding Creation

After that, PowerShell will generate an incoming or outgoing SSL connection and bind it to the requested website or web application. Thanks to this binding, secure interaction in HTTPS mode is using the default SSL certificate product of the respective servers.

Step 3: Verify Binding

That the binding of SSL has been properly established can be confirmed by launching “IIS Manager” and moving to the bindings entries for the named website or web app. An HTTPS TLS with port 443 should be mentioned in the binding context.

Step 4: Optional – Assign Certificate

If there is any particular SSL certificate that you want to assign for the binding, you can do so by providing it with PowerShell. It involves getting a certificate back and binding it onto HTTPS.

3. Assign the Certificate to SSL Binding

To assign a certificate to an SSL binding (powershell add ssl certificate to binding) in Internet Information Services (IIS) is a process that is used to relate an SSL certificate to a website, web application’s HTTPS binding.

It is another way by which the server matches the certificate generated when the clients secure connection through HTTPS.

Below is a detailed explanation of how to assign a certificate to an SSL binding using PowerShell (powershell iis binding ssl certificate):

Step 1: Retrieve the SSL Certificate

Retrieve an SSL certificate object preceding that to assign the certificate to the SSL binding.

This is achieved in two ways: through the obtaining of the certificate from the certificate store with the help of PowerShell or by using an existing certificate object.

Step 2: Use New-Item Cmdlet

Use the New-Item command to declare that the certificate should be used by that SSL binding, instead. In this instance, the process focuses on the indication of the location of the SSL project saving in the IIS configuration file.

$Cert | New-Item `
        -path IIS:\SslBindings\0.0.0.0!443

In this example:

  • $Cert is the only variable through which you will be able to assign to the SSL binding the SSL certificate object which you will be using.
  • New-Item cmdlet is a command used to create a new item in a web server configuration. The -path parameter specifies the location of the SSL binding, which is IIS:\SslBindings\000.000.000!443.
  • 0.0.0.0.0:443 serves for the HTTPS binding protocol for the highest security. Configure it to your IP address or a port number, whichever is required.

Step 3: Binding Assignment

After that command is run, PowerShell will have vagabonded the specified SSL certificate to the SSL binding. This is as well enough to be able to understand that the server will have the right SSL certificate to the client’s computer which establishes connection over HTTPS to the specified IP address and port.

Step 4: Verify Assignment

You can be sure that the SSL certificate has been successfully deployed to the SSL binding by viewing the SSL bindings configuration in IIS Manager no matter what. Avail SSL certificate applied to the right HTTPS binding and you have already been assigned through PowerShell.

4. Testing the Default Site using HTTPS

The first recommended action is to check the default site using HTTPS for making sure that the SSL binding applies properly and the clients are able to access the website or the application of the web securely.

In order to start, visit a browser on a device linked to the same network as the server that hosts the default site. In the address bar, type the HTTPS URL for the default site, starting with https:// given after the fully qualified domain name(FQDN) of the server.

https://<_Server FQDN_>

Upon accessing the site the web browser will make an effort to make the connection secure by using the SSL certificate which we have bound.

It’s important to check that the security warnings or errors are not appearing when the default webpage is loaded and that the padlock icon in the address bar indicates a secure connection.

Likewise, verify the SSL certificate details in the web browser to ensure that the correct certificate is used for the HTTPS connection with the domain. Test it across different devices or browsers as many times as it is necessary to be sure there is the consistency.

Conclusion

CheapSSLWEB is aimed at ensuring the safety of online transactions as well as preventing the misuse of confidential data with our Low-Priced SSL Certificates.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Buy Cheap Wildcard SSL