使用PowerShell将IIS SSL证书分配给与主机标头绑定

Question

我正在尝试将证书分配给HTTPS绑定.不幸的是,我从PowerShell收到此错误:

new-item : Cannot create a file when that file already exists
At line:3 char:56
+         get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBi ...
+                                                        ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-Item], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand

我执行的PowerShell是:

 New-WebBinding -name $Name -Protocol https -HostHeader "$Name.domain.com" -Port 443 -SslFlags 1
 $cert = Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like "*cloud.domain.com*"} | Select-Object -ExpandProperty Thumbprint
 get-item -Path "cert:\localmachine\my\$cert" | new-item -path IIS:\SslBindings\0.0.0.0!443!$Name.domain.com

它似乎能够找到证书,但无法将其分配给创建的绑定.使用正确的IP/Port/HostHeader创建绑定,检查SNI,但SSL证书是"未选中"

从IIS管理器一切正常

我尝试过来自SO和其他网站的各种说明,例如:
http://technet.microsoft.com/en-us/magazine/jj871065.aspx
Powershell IIS7 Snap in将SSL证书分配给https绑定
Powershell - 使用共享证书添加SSL绑定

另外,我试过了

IIS:\SslBindings\0.0.0.0!443!$Name.domain.com

和

IIS:\SslBindings\0.0.0.0!443

证书有一个cloud.domain.com主题和多个SAN属性,例如**.domain.com*,domain.com,**.seconddomain.com*,seconddomain.com,cloud.domain.com

编辑:

现在我正在使用这种方法,它确实有效:

$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport=$Name.domain.com:443 certhash=b58e54ca68c94f93c134c5da00a388ab0642a648 certstorename=MY appid="$guid"

然而,我仍然对没有netsh/ 的解决方案感兴趣appcmd

Answer 1

这是我能够为计算机FQDN生成自签名证书并添加SSL证书和绑定的方法。

$fqdn = "$((Get-WmiObject win32_computersystem).DNSHostName).$((Get-WmiObject win32_computersystem).Domain)" 
$cert=(Get-ChildItem cert:\LocalMachine\My | where-object { $_.Subject -match "CN=$fqdn" } | Select-Object -First 1) 
if ($cert  -eq $null) { 
$cert = New-SelfSignedCertificate -DnsName $fqdn -CertStoreLocation "Cert:\LocalMachine\My" 
} 
$binding = (Get-WebBinding -Name SiteNameHere | where-object {$_.protocol -eq "https"})
if($binding -ne $null) {
    Remove-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn
} 
New-WebBinding -Name SiteNameHere -Port 443 -Protocol https -HostHeader $fqdn 
(Get-WebBinding -Name SiteNameHere -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($cert.Thumbprint, "my")

Answer 2

基于@ElanHasson 的回答，我制作了这个脚本，它将制作一个自签名的 TLS 证书并将其应用于网站。可以稍微整理一下，但它有效：

Clear-Host
$certificateDnsName = 'my.localcert.ssl' # a name you want to give to your certificate (can be anything you want for localhost)

$siteName = "Default Web Site" # the website to apply the bindings/cert to (top level, not an application underneath!).
$fqdn = ""                     #fully qualified domain name (empty, or e.g 'contoso.com')


# ----------------------------------------------------------------------------------------
# SSL CERTIFICATE CREATION
# ----------------------------------------------------------------------------------------

# create the ssl certificate that will expire in 2 years
$newCert = New-SelfSignedCertificate -DnsName $certificateDnsName -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(2)
"Certificate Details:`r`n`r`n $newCert"


# ----------------------------------------------------------------------------------------
# IIS BINDINGS
# ----------------------------------------------------------------------------------------


$webbindings = Get-WebBinding -Name $siteName
$webbindings


$hasSsl = $webbindings | Where-Object { $_.protocol -like "*https*" }

if($hasSsl)
{
    Write-Output "ERROR: An SSL certificate is already assigned. Please remove it manually before adding this certificate."
    Write-Output "Alternatively, you could just use that certificate (provided it's recent/secure)."
}
else
{
    "Applying TLS/SSL Certificate"
    New-WebBinding -Name $siteName -Port 443 -Protocol https -HostHeader $fqdn #could add -IPAddress here if needed (and for the get below)
    (Get-WebBinding -Name $siteName -Port 443 -Protocol "https" -HostHeader $fqdn).AddSslCertificate($newCert.Thumbprint, "my")

    "`r`n`r`nNew web bindings"
    $webbindings = Get-WebBinding -Name $siteName
    $webbindings
}


"`r`n`r`nTLS/SSL Assignment Complete"

如果 fqdn 为空（并且没有-IPAddress分配），它将在 IIS 中为您提供：

Answer 3

现在我正在使用这种方法，它确实有效：

$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport=$Name.domain.com:443 certhash=b58e54ca68c94f93c134c5da00a388ab0642a648 certstorename=MY appid="$guid"