Binding SSL Certificate Reset in Win 2012

Question

On a Windows 2012 server we create websites using C# code. This also applies the https binding w/ SSL.

For some reason whenever a new site is created it sets all sites' SSL cert to "Not Selected" Is there way to prevent this?

enter image description here

Code we use

 //get the server manager instance
            using (ServerManager mgr = new ServerManager())
            {
                SiteCollection sites = mgr.Sites;
                Site site = mgr.Sites[siteName];
                if (site != null)
                {
                    ProcessStartInfo startInfo = new ProcessStartInfo();
                    startInfo.CreateNoWindow = false;
                    startInfo.UseShellExecute = false;
                    startInfo.WorkingDirectory = @"C:\Windows\System32\Inetsrv";
                    startInfo.FileName = "appcmd.exe";
                    startInfo.WindowStyle = ProcessWindowStyle.Hidden;
                    startInfo.Arguments = string.Format("set site /site.name:\"{0}\" /+bindings.[protocol='https',bindingInformation='{1}:443:{2}']", siteName, ipAddress, hostHeader);

                    using (Process exeProcess = Process.Start(startInfo))
                    {
                        exeProcess.WaitForExit();
                        return true;
                    }
                }
                else
                    throw new Exception("Site: " + siteName + " does not exist.");
            }

score 1 · Answer 1 · edited May 23 '17 at 12:41

Assuming that appcmd interacts with IIS8 in exactly the same way as with IIS7 (haven't poked around with it yet), the answer is NO.

SSL termination is handled in the HTTP stack before the request reaches IIS. For that reason, certificate-to-endpoint assignment is handled by the OS, not by IIS. appcmd.exe only updates IIS configuration files, it doesn't interact with OS dependencies like certificate assignment.

When you use appcmd set site you are effectively resetting/overwriting the previous site configuration.

To update certificate-to-endpoint mappings you need to use netsh.exe as outlined in: https://stackoverflow.com/questions/591597/how-to-assign-a-ssl-certificate-to-iis7-site-from-command-prompt

netsh http add sslcert ipport=0.0.0.0:443 certhash=baf9926b466e8565217b5e6287c97973dcd54874 appid={ab3c58f7-8316-42e3-bc6e-771d4ce4b201}

where baf9926b466e8565217b5e6287c97973dcd54874 is the certificate thumbprint, and 0.0.0.0:443 is the ip endpoint (0.0.0.0 means the same as "Any Unassigned")

UPDATE: If you always use existing endpoints for HTTPS bindings (eg. always "Any Unassigned":443), I believe you could successfully overcome this issue by backing up the following Registry key (including subkeys):

HKLM\SYSTEM\CurrentControlSet\services\HTTP\Parameters\SslBindingInfo

Write it back to the registry after you've run appcmd set site

Binding SSL Certificate Reset in Win 2012

1 Answers1