0

I'm trying to automate the renewal of certificates in IIS via powershell, which is all going fine, except that the script won't overwrite the existing cert without removing it first. I want to do it in a graceful fashion. Here's the line that's causing the issue, any ideas?

New-Item "IIS:\SslBindings\*!${Port}!${HostName}" -Thumbprint 
$NewCertThumbprint -SslFlags 1

And here's the error:

New-Item : Cannot create a file when that file already exists
At C:\Scripts\SSL_Check.ps1:20 (the line above) char:13
+             New-Item "IIS:\SslBindings\*!${Port}!${HostName}" -Thumbprint $NewCe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-Item], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand

(I've used thumbprint queries as variables to differentiate between the old and new certs).

No Refunds No Returns
  • 8,092
  • 4
  • 32
  • 43
Colliwhopper
  • 1
  • 1
    Copy-Item overwrites by default – Scepticalist Nov 29 '18 at 13:48
  • Hmmm, thanks for that, now I get a new error: "Copy-Item : A parameter cannot be found that matches parameter name 'Thumbprint'." – Colliwhopper Nov 29 '18 at 14:17
  • $CurrentCert = "‎E6760F37773D17FC5F3DDA192B5B82D738BCC3BE" $NewCert = "5F1C6318A7614DDEDAEFE6C81963426DD4611FDD" If ($CurrentCert -eq $NewCert) {Write-Host "Certificate Thumbprints match, binding unchanged."} Else {Write-Host "Thumbprints are different, updating binding." Copy-Item "IIS:\SslBindings\*!${Port}!${HostName}" -Thumbprint $NewCert -SslFlags 1 IISReset} – Colliwhopper Nov 29 '18 at 14:21
  • not sure how to make that look tidier in comments. – Colliwhopper Nov 29 '18 at 14:31
  • If you need to do that, just edit your original post. Anyway, I'd use Remove-Item beforehand but also check this previous question out: https://stackoverflow.com/questions/22765648/assign-iis-ssl-certificate-to-binding-with-host-header-using-powershell – Scepticalist Nov 29 '18 at 14:47
  • Deep down inside, Windows uses HTTP API to associate certificates with their bindings, https://learn.microsoft.com/en-us/windows/desktop/http/show-sslcert So you have to delete the mapping with old certificate, and add a new mapping with the new one. I think that's why your current script (it should use the same underlying HTTP API) cannot overwrite it. – Lex Li Nov 29 '18 at 20:22
  • Yeah, I ended up doing that, but it sucks, no graceful cert renewal :( – Colliwhopper Nov 29 '18 at 21:44

1 Answers1

1

I would test if first, but something like this should work based on: iis-7-and-the-webadministration-snapin

This should force a replace of the item:

New-Item -Path "IIS:\Sites" -Name $HostName -Type Site -Bindings @{protocol="https";bindingInformation="*:$Port:";thumbprint=$NewCertThumbprint} -force

or, you could do the same thing by using the set item to modify what is already there

Set-Item -Path "IIS:\Sites" -Name $HostName -Type Site -Bindings @{protocol="https";bindingInformation="*:$Port:";thumbprint=$NewCertThumbprint} -force

Based on your original post, you should be able to just add force to the end of it:

New-Item "IIS:\SslBindings*!${Port}!${HostName}" -Thumbprint $NewCertThumbprint -SslFlags 1 -force

Sergio Castro
  • 11
  • 3