Share via

Configuring SSL Certificates for Windows Vista

  • Article

The documentation for configuring a port with an SSL certificate shows example commands using the httpcfg.exe program. Starting with Windows Vista, httpcfg.exe was replaced in function by the netsh program that comes with the operating system. This is more convenient than having to download a separate tool, but it means that the syntax that you need to use changes slightly.

Let's assume that you've created a certificate and have already installed it using either the command line or the MMC certificate snap-in. Now, through the MMC snap-in, get the thumbprint of the certificate you want to install to a port if you don't already know what the thumbprint is. This process hasn't changed much so your existing directions should continue to work. The thumbprint for the test certificate I generated was 45d08a92798460d84e4ce157f31662b36c4edbff. When you copy the thumbprint from the snap-in, don't forget to remove all of the spaces.

You'll need to run netsh from an elevated command prompt. This first command installs my generated test certificate to port 8000 for the wildcard IP address.

 netsh http add sslcert ipport=0.0.0.0:8000 certhash=45d08a92798460d84e4ce157f31662b36c4edbff
  appid={00112233-4455-6677-8899-AABBCCDDEEFF}

The only new thing here is the appid, which is a guid that can be used to associate the certificate with a particular application. You can check the installed certificates with the following command.

 netsh http show sslcert

That gives me the following certificate description.

 SSL Certificate bindings:
-------------------------
    IP:port                 : 0.0.0.0:8000
    Certificate Hash        : 45d08a92798460d84e4ce157f31662b36c4edbff
    Application ID          : {00112233-4455-6677-8899-aabbccddeeff}
    Certificate Store Name  : (null)
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : (null)
    Ctl Store Name          : (null)
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

Finally, you can remove the certificate associated with a particular address to undo the earlier changes.

 netsh http delete sslcert ipport=0.0.0.0:8000

Next time: Shutting Down a Channel