How to Configure a SSL Certificate on IIS with PowerShell?
Steps to Configure SSL on IIS with PowerShell
Below are the steps to configure ssl on IIS using powershell:
1. Create a Self-signed Certificate
Generating a certificate via the self-signed method involves creation of a digital certificate not associated with any certificate authority (CA).
Recommended: Creating Self-Signed SSL Certificate in Powershell
Certificates that are self-signed are typically used for validation purposes or for internal organizational functions which cannot justify the cost or complexity of procuring certificates from a CA.
Below is a detailed explanation of how to create a self-signed certificate using PowerShell:
Step 1: Open PowerShell
Ensure that you are using a local administrator account and PowerShell window must be opened with an admin rights level.
Step 2: Invoke New-SelfSignedCertificate Cmdlet
The command New-SelfSignedCertificate will be used to generate self-signed certificates.
$Cert = New-SelfSignedCertificate `
-dnsName "<Server FQDN>" `
-CertStoreLocation cert:\LocalMachine\My`
-KeyLength 2048 `
-NotAfter (Get-Date).AddYears(1)
Here’s a breakdown of the parameters used:
- dnsName “<Server FQDN>”: Ensures whether your server is set up by the correct fully qualified domain name (FQDN). Put in place the exact FQDN of your server instead of <Server FQDN>.
- CertStoreLocation cert:config=MachineKey: Defines the certificate store in which the certificate will be stored as specified by the LocalMachine\My. In this case, it’s a personal certificate store—My—locally on the machine’s certificate store.
- KeyLength 2048: Indicates the length of the YubiKey pair that should be designed. Here, the 2048-bit key setting is used which is the state-of-the-art suite for most of the current protection schemes.
- NotAfter (Get-Date).AddYears(1): Allows for restricting the use of the certificate to the issued duration. Here, the certificate is scheduled to lapse in exactly one year and one day from the current date. Adjust expiration date, if needed.
Step 3: Certificate Generation
After you execute the command, PowerShell shall create a self-signed certificate per the supplied parameters. It will place the respective certificate data such as thumbprint, subject, issuer and expiry date.
Step 4: Certificate Installation
Thus, it will be installed in the personal store of a machine certificate locally (My). You can confirm the installation of the certificate by opening the Certificate Manager (certmgr.msc) defining the path to “Personal > Certificates”.
Step 5: Certificate Export (Optional)
Rather than importing it into the Certificate Manager and using it there with its private key, export it as a .pfx file with its private key and use it wherever required.
2. Create an SSL binding (bind ssl certificate IIS powershell)
Step 1: Use New-WebBinding Cmdlet
Establish the new web-ssl binding via the New-WebBinding command. This cmdlet lets you specify the web site or web application, HTTPS protocol, wherein port 443 is commonly used for HTTPS.
New-WebBinding `
-Name "Default Web Site" `
-protocol https `
-port 443
In this example:
- Name “Default Web Site”: This option indicates the target’s name/Id of the website or web application over which the SSL is to be implemented. In place of the “Default Web Site” name, you should use the title of your website or app.
- Protocol https: Describe the SSL/TLS handshake and detail the HTTPS protocol the server fetches in our instance.
- Port 443: Sets a port number for developing HTTPS applications. Traditionally only port 443 is used for SSL and TLS, UDP, as well as TCP communication.
Step 2: Binding Creation
After that, PowerShell will generate an incoming or outgoing SSL connection and bind it to the requested website or web application. Thanks to this binding, secure interaction in HTTPS mode is using the default SSL certificate product of the respective servers.
Step 3: Verify Binding
That the binding of SSL has been properly established can be confirmed by launching “IIS Manager” and moving to the bindings entries for the named website or web app. An HTTPS TLS with port 443 should be mentioned in the binding context.
Step 4: Optional – Assign Certificate
If there is any particular SSL certificate that you want to assign for the binding, you can do so by providing it with PowerShell. It involves getting a certificate back and binding it onto HTTPS.
3. Assign the Certificate to SSL Binding
To assign a certificate to an SSL binding (powershell add ssl certificate to binding) in Internet Information Services (IIS) is a process that is used to relate an SSL certificate to a website, web application’s HTTPS binding.
It is another way by which the server matches the certificate generated when the clients secure connection through HTTPS.
Below is a detailed explanation of how to assign a certificate to an SSL binding using PowerShell (powershell iis binding ssl certificate):
Step 1: Retrieve the SSL Certificate
Retrieve an SSL certificate object preceding that to assign the certificate to the SSL binding.
This is achieved in two ways: through the obtaining of the certificate from the certificate store with the help of PowerShell or by using an existing certificate object.
Step 2: Use New-Item Cmdlet
Use the New-Item command to declare that the certificate should be used by that SSL binding, instead. In this instance, the process focuses on the indication of the location of the SSL project saving in the IIS configuration file.
$Cert | New-Item `
-path IIS:\SslBindings\0.0.0.0!443
In this example:
- $Cert is the only variable through which you will be able to assign to the SSL binding the SSL certificate object which you will be using.
- New-Item cmdlet is a command used to create a new item in a web server configuration. The -path parameter specifies the location of the SSL binding, which is IIS:\SslBindings\000.000.000!443.
- 0.0.0.0.0:443 serves for the HTTPS binding protocol for the highest security. Configure it to your IP address or a port number, whichever is required.
Step 3: Binding Assignment
After that command is run, PowerShell will have vagabonded the specified SSL certificate to the SSL binding. This is as well enough to be able to understand that the server will have the right SSL certificate to the client’s computer which establishes connection over HTTPS to the specified IP address and port.
Step 4: Verify Assignment
You can be sure that the SSL certificate has been successfully deployed to the SSL binding by viewing the SSL bindings configuration in IIS Manager no matter what. Avail SSL certificate applied to the right HTTPS binding and you have already been assigned through PowerShell.
4. Testing the Default Site using HTTPS
The first recommended action is to check the default site using HTTPS for making sure that the SSL binding applies properly and the clients are able to access the website or the application of the web securely.
In order to start, visit a browser on a device linked to the same network as the server that hosts the default site. In the address bar, type the HTTPS URL for the default site, starting with https:// given after the fully qualified domain name(FQDN) of the server.
https://<_Server FQDN_>
Upon accessing the site the web browser will make an effort to make the connection secure by using the SSL certificate which we have bound.
It’s important to check that the security warnings or errors are not appearing when the default webpage is loaded and that the padlock icon in the address bar indicates a secure connection.
Likewise, verify the SSL certificate details in the web browser to ensure that the correct certificate is used for the HTTPS connection with the domain. Test it across different devices or browsers as many times as it is necessary to be sure there is the consistency.
Conclusion
CheapSSLWEB is aimed at ensuring the safety of online transactions as well as preventing the misuse of confidential data with our Low-Priced SSL Certificates.