Sergey Nivens - Fotolia

How to configure SSL on IIS with PowerShell

SSL encryption is a necessary component when building an IIS website that communicates with the outside world. Use this PowerShell tutorial to streamline the deployment process.

Creating an IIS website is relatively easy, but things can get complicated when setting up a certificate to encrypt traffic between clients and servers.

Secure Sockets Layer (SSL) is the de facto protocol used to secure communications between a web browser and a server. You must bind a certificate for SSL on IIS to create this encrypted connection between machines. With help from PowerShell, you can simplify the configuration process.

Get started with IIS websites     

This tutorial is based on using Internet Information Services (IIS) 10.0 on Windows Server 2016 using cmdlets from the WebAdministration module that was installed with IIS by default; however, the commands may work in earlier versions of IIS and Windows Server, as well.

First, check that IIS exists on the server. Then, connect to the Windows Server 2016 machine using PowerShell remoting.

Enter-PSSession -ComputerName MYIISSERVER

Use the Get-Website command to see if there are any existing websites to make sure you can enumerate the existing sites later. The example below shows a website called Default Web Site. It's bound to all IP addresses designated by the asterisk and is listening on port 80.

Get-Website
Name             ID   State      Physical Path          Bindings
----             --   -----      -------------          --------
Default Web Site 1    Stopped    %SystemDrive%\inetpub\wwwroot  http *:80:

It's helpful to get this confirmation so you can proceed with confidence to find the existing websites on the server.

Next, create a website named DemoSite with the -Website command. Below is a simple example of a command with just the name of the site and the file system path:

-Website -Name DemoSite -PhysicalPath C:\inetpub\wwwroot\

Name             ID   State      Physical Path                  Bindings
----             --   -----      -------------                  --------
DemoSite         3    Stopped    C:\inetpub\wwwroot\            http *:80:

If you need to perform other configuration tasks, refer to the help section for the -Website command by running Get-Help -Website.

How to set IIS bindings

The DemoSite website is bound to all IP addresses and listens on port 80 by default. You will need to force the website to listen on port 443 to support the HTTPS protocol by adding a binding.

First, run the following command to get a list of the bindings on the server:

Get-WebBinding
protocol bindingInformation sslFlags
-------- ------------------ --------
http     *:80:                     0
http     *:80:                     0

This returns all bindings on servers across all websites. To return bindings on a particular site, run Get-Website and drill down into the Collection property on the bindings object.

Get-Website -Name 'DemoSite').bindings.Collection

protocol bindingInformation sslFlags
-------- ------------------ --------
http     *:80:                     0

Add a binding for port 443 to the DemoSite using the -WebBinding command. Provide the name of the website as the Name parameter on -WebBinding, and then specify the IP address to bind to and the port to listen on.

-WebBinding -Name 'DemoSite' -IPAddress * -Port 443 -Protocol https

(Get-Website -Name 'DemoSite').bindings.Collection

protocol bindingInformation sslFlags
-------- ------------------ --------
http     *:80:                     0
https     *:443:                    0

Add a self-signed certificate for SSL on IIS

The binding information indicates that the website is listening on the default HTTPS port 443. To set up the encryption component, you must install a certificate for SSL on IIS and force the binding to use that certificate.

To set up the encryption component, you must install a certificate for SSL on IIS and force the binding to use that certificate.

Create a self-signed certificate on the server using the -SelfSignedCertificate command. Provide the folder for the certificate store location and the domain name system (DNS) name. The example below uses the domain demo.local:

-SelfSignedCertificate -CertStoreLocation 'Cert:\LocalMachine\My' -DnsName 'demosite.demo.local'

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
1D462AF7573BDC51F42FF8B2AD8930DC761D849B  CN=demosite.demo.local

Bind the SSL certificate

Next, bind the certificate to the website by defining the certificate store path using the thumbprint.

$certPath = 'Cert:\LocalMachine\My\1D462AF7573BDC51F42FF8B2AD8930DC761D849B'
$providerPath = 'IIS:\SSLBindings\0.0.0.0!443'
Get-Item $certPath | -Item $providerPath

IP Address          Port   Host Name        Store            Sites
----------          ----   ---------        -----            -----
0.0.0.0             443                     My               DemoSite

To confirm the certificate is on the HTTPS binding of the site, go into Internet Information Services manager, click on DemoSite, open the Bindings option, select the HTTPS binding and check the DNS name of the certificate.

Viewing the bound certificate
In the Internet Information Services manager, confirm the certificate binding for the website.

You can also go a step further and build a function to add SSL on IIS websites to house all this functionality if you routinely need to create websites that require SSL encryption.

Next Steps

PowerShell 7 features set to address some, not all, functionality gaps

PowerShell 7 features admins should examine

25 basic PowerShell commands for Windows administrators

Understanding Windows PowerShell function parameters

Dig Deeper on Microsoft identity and access management