Use PowerShell to install SSL certificate on IIS

Importing PFX SSL certificate to IIS with PowerShell script

Since Google announced HTTPS as ranking signal most of the websites now days are switching to secured communication via SSL certificates. Even I switched my website to HTTPS secured connection to follow up with this new trend.

Using certificate on the website is related to domain binding, but even before we setup the domain binding for the website, we need to import the certificate to IIS. This can be easily to with PowerShell cmdlet Import-PfxCertificate.

Installing SSL cerificate to IIS

In case you have your certificate in a different format which is not PFX/PKC12 format you can follow instructions from article Exporting SSL certificate to PFX format for using on IIS or Azure and get your SSL certificate in PFX/PKC12 format.

$certPath = "c:\temp\my-domain.com.pfx"
$certPass = "pass123"


$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import($certPath,$certPass,"Exportable,PersistKeySet") 
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("WebHosting","LocalMachine") 
$store.Open("ReadWrite")
$store.Add($pfx) 
$store.Close() 
$certThumbprint = $pfx.Thumbprint
    

After running this PowerShell script, you will have the SSL certificate installed and ready to use. You can open Internet Information services (IIS) Manager and open Server Certificates section and you should have the certificate listed.

Now when we have SSL certificate installed on IIS, we need to setup the binding for the website on IIS.

Setting up HTTPS binding to use SSL certificate

In the script above you can see that we have $certThumbprint variable which we need for setting up HTTPS binding. Depending whether we use the import certificate script snipet as a part of our final script or we want to execute it separately, we need this variable or we fetch it after-words.

$thumbprints = Get-ChildItem -path cert:\LocalMachine\WebHosting
$certThumbprint = $thumbprints[0]
    

Since we need to setup the website and binding for it in order to use the SSL certificate over HTTPS, we can reuse PowerShell script from the article Setting up IIS ASP.NET WebApplication using PowerShell which is handling both website setup and bindings and do some slight modifications to involve HTTPS bindings with SSL certificate.

Import-Module WebAdministration  
  
$iisAppPoolName = "temp"  
$iisAppPoolDotNetVersion = "v4.0"  
  
$iisWebsiteFolderPath = "C:\temp"  
$iisWebsiteName = "temp"  

$thumbprints = Get-ChildItem -path cert:\LocalMachine\WebHosting

$iisWebsiteBindings = @(  
   @{protocol="http";bindingInformation="*:80:temp1.com"},  
   @{protocol="http";bindingInformation="*:80:temp2.com"},
   @{protocol="https";bindingInformation="*:443:my-domain.com";hostHeader="my-domain.com";SSLFlags=1} 
)  
  
if (!(Test-Path IIS:\AppPools\$iisAppPoolName -pathType container))  
{  
New-Item IIS:\AppPools\$iisAppPoolName  
Set-ItemProperty IIS:\AppPools\$iisAppPoolName -name "managedRuntimeVersion" -value $iisAppPoolDotNetVersion  
}  
  
if (!(Test-Path IIS:\Sites\$iisWebsiteName -pathType container))  
{  
New-Item IIS:\Sites\$iisWebsiteName -bindings $iisWebsiteBindings -physicalPath $iisWebsiteFolderPath  
Set-ItemProperty IIS:\Sites\$iisWebsiteName -name applicationPool -value $iisAppPoolName  
(Get-WebBinding -Name $iisWebsiteName -Port 443 -Protocol "https").AddSslCertificate($thumbprints[0].Thumbprint, "WebHosting")
}  
    

You can see that there is one more binding added to array of bindings and there is a special condition to find that binding upon creating (based on protocol and port) and assign the certificate to the proper binding.

References

• https://docs.microsoft.com/en-us/powershell/module/pkiclient/import-pfxcertificate?view=win10-ps
• https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

Disclaimer

Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.

About the author

DEJAN STOJANOVIC

Dejan is a passionate Software Architect/Developer. He is highly experienced in .NET programming platform including ASP.NET MVC and WebApi. He likes working on new technologies and exciting challenging projects

CONNECT WITH DEJAN