TechShizz | How to update an IIS SSL certificate for an existing website using command line and PowerShell

How to update an IIS SSL certificate for an existing website using command line and PowerShell

If you need to install a new certificate on a web server that does not have a GUI (Server Core), you will need to update the current SSL certificate via command line and powershell. There are most likely more ways to do this than this method, but I find this works well for me.

1. First, if you need a new certificate, you need a new CSR. You DO NOT have to create the CSR on the server that will use the certificate. Use ANY IIS server to create and complete a new certificate request. Ensure you use 2048 bit certificates.

2. Purchase a certificate from a trusted certificate authority. I prefer SSL2Buy.com.

3. Once you have your certificate it will be downloadable as a ZIP file. It will contain .cer files. In order to install the certificate (firstly onto our GUI IIS server) we need it to be in the .pfx format, as this format lets us store the certificate's private key within it. Extract the certificates, and in IIS, complete the certificate request and select the certificate that's named www.yourdomain.com.cer - You should store the certificate in the "WebHosting" section if prompted.

4. Next, the certificate is installed, but in the wrong server. So we need to export it. Run MMC.exe, File, Add/Remove Snapins / Add the Certificates snap in, select computer account. Find the imported certificate. 

5. Export the certificate, right click, All Tasks, Export. Select .PFX format. Ensure you tick the "Make Private Key Exportable". You will be required to set a password against the certificate to protect the private key. Save the Certificate and then copy it to your IIS server (which has no GUI i.e. server core). 

6. Next we need to install the certificate with PowerShell.

PS C:\>$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'

PS C:\>Import-PfxCertificate -FilePath C:\mypfx.pfx -CertStoreLocation Cert:\LocalMachine\WebHosting -Password $mypwd.Password

7. Next we need to update the certificate on the existing binding:

We'll need to know the thumbprint of the certificate and the AppID of the website. I like to change to powershell in core, because it's good for parsing results in a readable format. Run PowerShell.exe then navigate to:

PS Cert:\LocalMachine\WebHosting\>

Run

dir | fl

You should be able to identify the certificate you have installed. Grab the Thumbprint.

8. Next we need the AppID - Run:

netsh http show sslcert

Find the AppID for your website you want to replace the SSL certificate for.

9. Next we use the AppID and Thumbprint to use the new certificate with the website - Note You need to EXIT from PowerShell before running this command - run this in CMD:

netsh http update sslcert hostnameport=www.techshizz.com:443 certhash=C4FA12345678923618B90972707121345678988811 appid={4ab64e81-e14b-4a21-b022-59fc66abcd64} certstorename=WebHosting

10. - DONE! 

Add comment