Windows 2003 is old hat

In Windows 2008+, setting a different SSL certificates for each IP:Port binding is point and click, so for an exchange server where the internal and external names (and therefore required certificates) differ:

image

It is easy to select the correct certificate for each binding:

image

[Note that if you want to use the same IP:Port for multiple SSL sites by using host headers, you can in Windows 2008+, but it’s back to the command line.]

In Windows 2003, it’s a bit fiddlier:

C:\Scripts>httpcfg query ssl
    IP                      : 192.168.100.10:443
    Hash                    : c1f2b0f6fbd1c115f79535ea6c503b14dbd64416
    Guid                    : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    CertStoreName           : MY
    CertCheckMode           : 0
    RevocationFreshnessTime : 0
    UrlRetrievalTimeout     : 0
    SslCtlIdentifier        :
    SslCtlStoreName         :
    Flags                   : 0
——————————————————————————
    IP                      : 192.168.100.34:443
    Hash                    : c1f2b0f6fbd1c115f79535ea6c503b14dbd64416
    Guid                    : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    CertStoreName           : MY
    CertCheckMode           : 0
    RevocationFreshnessTime : 0
    UrlRetrievalTimeout     : 0
    SslCtlIdentifier        :
    SslCtlStoreName         :
    Flags                   : 0
——————————————————————————

This shows the same certificate bound to two different IP addresses. You need to delete one before you can add it again, otherwise you’ll get the following fail message:

HttpSetServiceConfiguration completed with 183.

Here we go:

C:\Scripts>httpcfg delete ssl -i 192.168.100.10:443
HttpDeleteServiceConfiguration completed with 0.

Now we can put it back with the correct certificate, but first you need the Thumbprint. You can get this by looking at the certificate in the filesystem by clicking on the .cer file or in the Certificates MMC console

image

or from Powershell for Exchange on an Exchange Server 2007+ server:

[PS] C:\Documents and Settings\Administrator>Get-ExchangeCertificate

Thumbprint                                Services   Subject
———-                                ——–   ——-
3972B12B864B4DF7C627609A184DF1B3884E09BA  IP…      CN=dc1
E837A8E0148D778744B06F2CC4B6157D37C19B8E  IP..S      CN=dc1.acs-solutions.local
C1F2B0F6FBD1C115F79535EA6C503B14DBD64416  …WS      CN=*.acs-solutions.co.uk, OU=Domain Control Validated – RapidSSL(R), OU=
648AB8210EDC23793E0ECE63731E6AB86C207603  …..      CN=ACSRootCA, DC=acs-solutions, DC=local

So, now we have the Thumbprint, configure the Certificate of choice onto the IP Address:Port:

C:\Scripts>httpcfg set ssl -i 192.168.100.10:443 –h 3972B12B864B4DF7C627609A184DF1B3884E09BA -g “{4dc3e181-e14b-4a21-b02259fc669b0914}” -c MY
HttpSetServiceConfiguration completed with 0.

And finally check the result:

C:\Scripts>httpcfg query ssl
    IP                      : 192.168.100.10:443
    Hash                    : 3972b12b864b4df7c627609a184df1b3884e 9ba
    Guid                    : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    CertStoreName           : MY
    CertCheckMode           : 0
    RevocationFreshnessTime : 0
    UrlRetrievalTimeout     : 0
    SslCtlIdentifier        : (null)
    SslCtlStoreName         : (null)
    Flags                   : 0
——————————————————————————
    IP                      : 192.168.100.34:443
    Hash                    : c1f2b0f6fbd1c115f79535ea6c503b14dbd64416
    Guid                    : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    CertStoreName           : MY
    CertCheckMode           : 0
    RevocationFreshnessTime : 0
    UrlRetrievalTimeout     : 0
    SslCtlIdentifier        :
    SslCtlStoreName         :
    Flags                   : 0
——————————————————————————

Hope that helps.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s