Update many SSL certificate site bindings in one go

If you have to deal with updating SSL certificates in IIS then you probably know how much of a pain it can be if you have lots of sites and bindings that all use the same certificate. I found a really simple PowerShell script that can go through and match the thumbprint of your old certificate on all bindings in IIS and replace them with the thumbprint of your new certificate! This is particularly useful if you have a wildcard multi-domain certificate that you can use on all sites regardless of hostname!

Open up a PowerShell window with administrative rights then enter the following commands. Obviously you will need to replace the thumbprint values below with yours.

The first one will set a variable for the old certificate

$OLDCertificateThumbprint = "123456789abcdefgh1a2b3c4d5e6f7g8h9a1a1a1"

The second will set a variable for the old certificate

$NEWCertificateThumbprint = "7a3b5a1g1a6a2j2a262a3343a333a5a64a4a4a4a"

The following will show bindings where the old certificate is in use

Get-WebBinding | Where-Object { $_.certificateHash -eq $OLDCertificateThumbprint} | Format-Table

This will select bindings where the old certificate is in use and switch it to the new certificate

Get-WebBinding | Where-Object { $_.certificateHash -eq $OLDCertificateThumbprint} | ForEach-Object {
Write-Host "Working on" $_
$_.RemoveSslCertificate()
$_.AddSslCertificate($NEWCertificateThumbprint, 'My')
}

Once the script above has completed you can use this to show bindings where the new certificate is in use

Get-WebBinding | Where-Object { $_.certificateHash -eq $NEWCertificateThumbprint}

Now that everything has been updated you can go into IIS to check it out.  Big thank you to the following people here and here for providing these solutions.

Move a SSL certificate from Microsoft IIS 8 to Apache

To move a SSL certificate from Microsoft IIS 8 to Apache, the certificate must be converted from a PKCS#12 (.p12 or .pfx) to two separate files (private and public key). This guide will show you how to create those files.

Step 1: Export certificate in IIS 8

  1. From the web server, click Start
  2. In the Search programs and files field, type manage computer certificates
  3. From the search suggestions list, click Manage computer certificates
  4. At the permission prompt, click Yes
  5. Double click on the Personal folder, and then on Certificates.
  6. Right Click on the Certificate you would like to backup and choose > All Tasks > Export
  7. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
  8. Choose to ‘Yes, export the private key
  9. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)
  10. Enter a password you will remember
  11. Choose to save file on a set location
  12. Click Finish
  13. You will receive a message > “The export was successful.” > Click OK
  14. The .pfx file backup is now saved in the location you selected.

Step 2:  Convert PFX file to compatible files for Apache

If you are a windows user you will need the OpenSSL program / binaries to run these commands in PowerShell. You can find a guide on how to do this here

To extract the private key, run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx  -nocerts -out key.pem

EXAMPLE:-
openssl pkcs12 -in c:\ssl\myexportedcert.pfx  -nocerts -out c:\ssl\key.pem

To extract the certificate (public key), run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem

EXAMPLE:-
-openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out c:\ssl\cert.pem

After running the commands above you will end up with 2 files, key.pem and cert.pem ready to be imported into your Apache server.

Secure your IIS web server! SSL best practices.

If you are setting up a windows server that’s going to be dishing out websites using IIS on the web then you really need to make a few changes to default settings when it comes to SSL security and settings.

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Screenshot1

For further information and to download the tool visit https://www.nartac.com/Products/IISCrypto

Once you’ve tweaked your configuration (you can’t really go wrong with the “Best Practices” button) you should go and test your sites using something like https://www.ssllabs.com/ssltest/ to see how they fare.

If you’d like to find out more information on SSL and how it works then Bill over at PixelPrivacy has put together an incredibly in-depth guide on how SSL works and what it means to the average user.