How to update an IIS SSL certificate for an existing website using command line and PowerShell

If you need to install a new certificate on a web server that does not have a GUI (Server Core), you will need to update the current SSL certificate via command line and powershell. There are most likely more ways to do this than this method, but I find this works well for me.

1. First, if you need a new certificate, you need a new CSR. You DO NOT have to create the CSR on the server that will use the certificate. Use ANY IIS server to create and complete a new certificate request. Ensure you use 2048 bit certificates.

2. Purchase a certificate from a trusted certificate authority. I prefer

3. Once you have your certificate it will be downloadable as a ZIP file. It will contain .cer files. In order to install the certificate (firstly onto our GUI IIS server) we need it to be in the .pfx format, as this format lets us store the certificate's private key within it. Extract the certificates, and in IIS, complete the certificate request and select the certificate that's named - You should store the certificate in the "WebHosting" section if prompted.

4. Next, the certificate is installed, but in the wrong server. So we need to export it. Run MMC.exe, File, Add/Remove Snapins / Add the Certificates snap in, select computer account. Find the imported certificate. 

5. Export the certificate, right click, All Tasks, Export. Select .PFX format. Ensure you tick the "Make Private Key Exportable". You will be required to set a password against the certificate to protect the private key. Save the Certificate and then copy it to your IIS server (which has no GUI i.e. server core). 

6. Next we need to install the certificate with PowerShell.

PS C:\>$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'

PS C:\>Import-PfxCertificate -FilePath C:\mypfx.pfx -CertStoreLocation Cert:\LocalMachine\WebHosting -Password $mypwd.Password

7. Next we need to update the certificate on the existing binding:

We'll need to know the thumbprint of the certificate and the AppID of the website. I like to change to powershell in core, because it's good for parsing results in a readable format. Run PowerShell.exe then navigate to:

PS Cert:\LocalMachine\WebHosting\>


dir | fl

You should be able to identify the certificate you have installed. Grab the Thumbprint.

8. Next we need the AppID - Run:

netsh http show sslcert

Find the AppID for your website you want to replace the SSL certificate for.

9. Next we use the AppID and Thumbprint to use the new certificate with the website - Note You need to EXIT from PowerShell before running this command - run this in CMD:

netsh http update sslcert certhash=C4FA12345678923618B90972707121345678988811 appid={4ab64e81-e14b-4a21-b022-59fc66abcd64} certstorename=WebHosting

10. - DONE! 

DNS | TLSA Records to ensure the validity of SSL certificates

TLSA Records are a new feature which adds an additional layer of security for checking the validity of server certificates. The TLSA record is placed in DNS, which can be queried by a client to verify the SHA hash the domain holds against the certificate a server has presented the client. If the Key matches DNS has "agreed" that the certificate does indeed match. This security protects against the wrongful issuing of certificates by CA's and also the theft of certificates. 

#Add a TLSA DNS Record
Add-DNSServerResourceRecord -CertificateAssociationData 2a8f2d8af0eb123898f74c866ac3fa669054e23c17bc7a95bd0234192dc635d0 -CertificateUsage DomainIssuedCertificate -MatchType Sha256Hash -Selector SubjectPublicKeyInfo -TLSA -ZoneName -Name _443._tcp.www

This record combines with DNSSEC provides a robust security system to protect agains man in the middle attacks. Due to the need to DNSSEC, and a provider who offers TLSA, it's going to be a premium service if used on the internet. It does come with server 2016 for internal usage on the corporate infrastructure. 

Setting up SSL on hMailServer

1. Download and install OpenSSL. Download Here

2. Create a Key - Open an elevated CMD prompt and change directory to where you installed OpenSSL. Once here execute the OpenSSL.exe

Run: >openssl genrsa -out <host>.key 1024

Where <host> is your mail servers name.

3. Certificate Request - Next we need to create the certificate request:

>openssl req -new -nodes -key <host>.key -out <host>.csr

Where <host> is your mail servers name.

If this fails, try this. My OpenSSL was installed in C:\OpenSSL\OpenSSL-Win64

SET OPENSSL_CONF=c:OpenSSLOpenSSL-Win64binopenssl.cfg

4. Create a self signed certificate:

>openssl x509 -req -days 1024 -in <host>.csr -signkey <host>.key -out <host>.cert

Where <host> is your mail servers name.


5. Configuring hMailServer With Your New SSL Certificate

 Bring up your hMailServer administrator UI and add a SSL certificate. You'll find the files we use here in the same folder where the OpenSSL.exe file was executed from.

 Add a SSL certificate

 Next create new TCP/IP ports which use SSL for each protocol you are interested in testing.

 Add TCP/IP ports and protocols

The port numbers for IMAP (993) POP3 (995) are the default secure ports for these two protocols. I will be disabling 110 and 143 and 25 to allow only encrypted mail. Each change will restart hMailServer.

When configuring the email account on the clients, you will get a certificate warning as the certificate is self signed. You know you can trust this because you created it. You can verify the certificate by viewing it's details. You will see all of the information you populated when creating theecertificate in OpenSSL.

To prevent this from popping up every-time your client connects, INSTALL the certificate on your client machines.

PKI Setup (Offline Root CA)

Place CAPolicy.inf in the c:\Windows folder on the CA

Install the Root CA

Configure the Root CA:

Remove ALL CRL Locations BEFORE issuing any certificates

On the root CA run  

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg ca\ValidityPeriodUnits "20"

 Copy files from Root CA from c:\windows\system32\certserv\ to the Sub-CA or Web server in c:\CertEnroll

Make CertEnroll Modify permissions for Cert Publishers and read for everyone.

Install the Sub-CA - Place the CAPolicy.inf file in the C:\Windows folder on the Sub-CA

Import the Request into the Root and Issue cert. The Save it to file and Install on the Sub-CA.

Start the CA Service on the SUB-CA - Errors will occur for the Sub CA in the PKI Hierarchy.

Go to the Webserver

Run Cmd:

C:\windows\system32\inetsrv\Appcmd set config "Default Web Site" /section:system.webserver/Security/requestFiltering -allowDoubleEscaping:True



Cd \CertEnroll

certutil -f -DSPublish CA-Root.contoso.com_CAROOT.crt RootCA

Finally configure DNS

if domain ends in .local an A record will need to be created to point to the websever.