如何通过 Powershell 脚本设置 IIS 10.0 管理服务 SSL 证书以允许 Web 部署?
Mic*_*com 2 iis powershell ssl-certificate webdeploy
当我运行 Windows 更新并 sysprep 我的 Amazon EC2 实例 (Windows Server 2016) 时,我必须创建一个新的自签名证书。然后,我可以在管理服务屏幕中选择 SSL 证书(我将其命名为 WebDeploy)。我已经弄清楚如何从 Windows Powershell 创建 SSL 证书,但我必须从屏幕截图的下拉列表中选择 SSL 证书。如何从命令行设置 SSL 证书?
这是我尝试过的方法,但没有成功 - 我能够避免错误,但如果我不进入 IIS 管理器屏幕并手动选择下拉列表,它们都不允许 WebDeploy 工作。
Stop-Service wmsvc
$strGuid = New-Guid
Import-Module WebAdministration
Remove-Item -Path IIS:\SslBindings\0.0.0.0!8172
Get-Item -Path "cert:\localmachine\my\$strHashThumbprint" | New-Item -Path
IIS:\SslBindings\0.0.0.0!8172
Start-Service wmsvc
而且,这不起作用:
Stop-Service wmsvc
netsh http delete sslcert ipport=0.0.0.0:8172
netsh http add sslcert ipport=0.0.0.0:8172 certhash=$strHashThumbprint appid=`{$strGuid`} certstorename="MY" sslctlstorename="MY"
Start-Service wmsvc
最后,这不起作用:
Stop-Service wmsvc
Add-NetIPHttpsCertBinding -IpPort "0.0.0.0:8172" -CertificateHash $strHash -CertificateStoreName "My" -ApplicationId "{$strGuid}" -NullEncryption $false
Start-Service wmsvc
我终于在https://forums.iis.net/t/1238001.aspx找到了答案
我不确定是否需要受信任的根存储部分 - 没有它似乎一切都可以工作,但我非常有信心需要更新注册表项。这是让这项工作发挥作用的关键。
完整脚本:
# Delete any existing certificates
Set-Location -Path "cert:\LocalMachine\My"
Get-ChildItem -Path "cert:\LocalMachine\My" | Remove-Item
#Create the new certificate
$strNewCertficate = New-SelfSignedCertificate -FriendlyName "WebDeploy" -DnsName "yoursite.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter $([datetime]::now.AddYears(5))
$strHashThumbprint = $strNewCertficate.Thumbprint
#add it to the trusted root store
$trustedRootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("root","LocalMachine")
$trustedRootStore.open("ReadWrite");
$trustedRootStore.add($strNewCertficate);
#Use the new certificate
Stop-Service wmsvc
$strGuid = New-Guid
netsh http delete sslcert ipport=0.0.0.0:8172
netsh http add sslcert ipport=0.0.0.0:8172 certhash=$strHashThumbprint appid=`{$strGuid`} certstorename="MY"
#convert thumbprint to bytes and update registry
$bytes = for($i = 0; $i -lt $strHashThumbprint.Length; $i += 2) { [convert]::ToByte($strHashThumbprint.SubString($i, 2), 16) }
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name IPAddress -Value "*";
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WebManagement\Server' -Name SslCertificateHash -Value $bytes
Start-Service wmsvc
| 归档时间: |
|
| 查看次数: |
4746 次 |
| 最近记录: |