How To Migrate SSL Certificate Using MSDeploy
Hi Friends!
Scenario:
Yesterday I was asked to help out IIS 6 to IIS 7 migration with close to 500 sites with 50 of them were SSL website. I thought it is good time to evaluate MSDeploy. It has a support to migrate SSL certificate between the servers and it has really appealed me to use that tool. I opened built in help and I found the following syntax:
msdeploy.exe -verb:sync -source:cert=(STORENAME\HASHOfCERTIFICATE) -dest:cert=(STORENAME\HASHOfCERTIFICATE),computername=DESTINATIONCOMPUTER
I thought that it is something to easy to do. In order to find the SSL certificate association with IIS, I used the following command:
HTTPCfg query ssl
And I saw the following o/p:
So I thought I got the HASH required and tried the following command to archive the SSL certificate to folder store:
msdeploy.exe -verb:sync -source:cert=MY\db1209c20e1be61a4d86644067604118ee7dfa -dest:archiveDir=c:\CertArchive
As you expected, (and reason behind this post) it failed. Have a look at following screenshot:
It failed the first time because I copied the HASH directly from the HTTPCFG output. It failed due to space in a hash. I removed the spaces and tried second time and it failed too very strange error. “Certificate not found in store”. I checked and double checked that certificate does exist, certificate is marked with private key exportable and IIS website with SSL certificate is working over SSL connection. Out of clue and permutations and combinations!!
Takeaway:
I forwarded the problem to internal discussion group and within minutes I got reply from Andreas Klein and that was amazing.
I executed the following command:
Do you notice the random spaces in Hash? They are actually not space. They are ‘0’ that human eye cannot see!!!!!!!!
E.g. A certificate Hash reported by HTTPCFG as “db12 09c20e1 be61a4d86644067604118ee7dfa” should actually be “db12009c20e10be61a4d86644067604118ee7dfa”. Instead of 0, HTTPCFG report it as ‘ ‘.
There is a problem in a way that HTTPCFG reports the certificate hash. I hope it will save some of your time while doing Migration with MSDeploy.