IIS6: Create/install SSL self-signed cert from command line

I want to automate the setup of S开发者_StackOverflowSL for a website in IIS6. It appears selfSSL and certutil can be used to do this but certificates are new to me and I'm unsure how to put them together.

From what I understand I need to:

1. create a certificate
2. assign the certificate to the website
3. add a secure (SSL/443) binding to the website

I would also like to avoid creating a new certificate if the site cert has already been created. That way I don't end up with a bunch of redudant certs.

I would suggest you look at the IIS 6 Resource Kit: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17275

There is a tool in the resource kit called selfssl.exe - it automates the creation, assignment and even trusting of the newly created certificate. We use it quite a bit where I work to ensure that our dev boxes have certificates we can use during testing/development.

Here is the command line we use - it will create the cert (for localhost) using a key-size of 1024, trust it, and make it valid for ~10 years:

selfssl.exe /T /N:CN=localhost /K:1024 /V:3650

If you are hosting multiple sites, you will need to use the /S parameter to specify the site id you want to add the certificate to.

Note: this also works like a champ with IIS 5 on WinXP, but I have never tried it on any of the IIS 7 family.

If you're using Wix for authoring your setup, then running this CustomAction (which simply runs SelfSSL) will do the trick for you:

<CustomAction Id="InstallCert" 
              ExeCommand="selfssl.exe /N:CN=fqdn.myserver.com /V:365" /> 

<InstallExecuteSequence> 
    <Custom Action="InstallCert" After="InstallFinalize" /> 
</InstallExecuteSequence> 

This action will:

• Generate the certificate
• Install the certificate to Default Web Site
• Add the https binding

Command line explained:

/N:CN=[fully qualified server name]
/V: = Validity in days (365 in my example)

You can specify port with /P:[port number] switch. The default is 443 which is what you want so you can leave it out.

Caveat: There seems to be bug with SelfSSL which seems to have been resolved.

If you still run into it, alternative is to switch to SSLDiag tool which has a similar syntax:

SSLDiag.exe /selfssl /n:CN=fqdn.myserver.com /v:365

I do not have experience with other setup authoring tools (InstallShield etc.) but I'm sure they have provisions to run commandline programs. Worst case, you can run this through a batch file!

Hope this helps.