Using netsh, bind an SSL certificate to a port num

2019-01-17 20:09发布

问题:

I have followed the instructions in SSL with Self Hosted WCF Service. When I am trying to bind the certificate on Windows 7 using netsh as described in How to: Configure a Port with an SSL Certificate., it is failing as follows.

In Windows PowerShell

PS C:\> netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Bad numeric constant: 224.
At line:1 char:104
+ netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={001 <<<< 12233-4455-6677-8899-AABBCCDDEEFF}
+ CategoryInfo          : ParserError: (224:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : BadNumericConstant

In a command prompt

C:\>netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

SSL Certificate add failed, Error: 1312
A specified logon session does not exist. It may already have been terminated.

回答1:

I fought with this forever to get my IIS Express to do SSL properly. It turns out my certificate was in the Trusted Root Certification Authorities store instead of the Personal Certificates store. This is what worked for me:

  1. Make sure your certificate is in "Certificates(Local Computer)/Personal/Certificates"
  2. netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid='{00112233-4455-6677-8899-AABBCCDDEEFF}'
  3. SSL Certificate successfully added
  4. Use MMC and drag certificate wherever you want it to go.


回答2:

I have found 4 possible causes for error 1312 in my port bindings:

  • The SSL cert is corrupt - you need to delete from the cert store and re-add.
  • The SSL cert is lacking a private key - you need to delete from the cert store and re-add the full public/private cert, or otherwise attach the private key to your certificate.
  • If installing on a pre-SP1 version of 2012R2, you may need KB 981506.
  • You may have added the SSL cert to your user store, and not the local machine cert store - delete from the user store and add to the machine store.


回答3:

The source of the error is that I have taken the ThumbPrint directly from the certificate file of signroot.cert, which is created from the first makecert command needed for creating "Trusted Root Certification Authorities", which is used again to really create(and install) the self-sigend trusted certificate in the second makecert command.

The second makecert command also install the created certificates in the "Certificates (Local Computer) -> Personal -> Certificates node." One has to refresh the currently open MMC again to see the "localhost" certificate and the ThumbPrint need to be taken from this certificates but not from signroot.cert.

If it is still not the case, one might need to install this hotfix from M$. http://support.microsoft.com/kb/981506

ref : http://social.technet.microsoft.com/Forums/en/winservergen/thread/68452008-a89b-40ba-9927-472efcfafc99



回答4:

We faced the same error and after long hours, we realized that netsh was not browsing all local machine stores to find the certificate identified by the "certhash" parameter. By default, it searches the certificate in the "personal" store and only there.

As our certificate was not in the "personal" store but in the "Trusted Root Certification Authorities" store, the problem was solved by adding the "certstorename" parameter in the netsh command:

C:\>netsh http add sslcert ipport=0.0.0.0:8732 certstorename=AuthRoot certhash=...  


回答5:

Another thing to be aware of is that copy/paste the certificate hash from MMC console certificate property window, may also bring a funny char at the start of the hash. You won't see it because this char is INVISIBLE in the UTF-8 encoding your text editor is likely using!

Netsh does not help as it just keeps failing with "the parameter is incorrect" without disclosing which parameter ;)

Changing the encoding to ANSI shows the char, delete it and it'll work like a charm



回答6:

The key for me was to ditch using IE to do the import which is what I normally do/did.

Use mmc.exe, File->Add/Remove Snap-in and add "Certificates". Manage for Computer account and then "Local computer".

Import the root certificate into Certificates (Local Computer)/Trusted Root Certification Authorities/Certificates.

Import the client certificate into Personal/Certificates and then do the netsh http add sslcert.



回答7:

I noticed the following in your question. It may not solve the original issue, but the syntax here isn't correct.

PS C:\> netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Bad numeric constant: 224.
At line:1 char:104
+ netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={001 <<<< 12233-4455-6677-8899-AABBCCDDEEFF}
+ CategoryInfo          : ParserError: (224:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : BadNumericConstant

Use this instead (with appid in a single quote '{}'):

netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid='{00112233-4455-6677-8899-AABBCCDDEEFF}'


回答8:

Actually it has nothing to do with refresh. I have wasted so much time with the same issue. If you do a fresh install you will not run across this problem, but problem will occur if you try to:

 1. Import same certificate again
 2. You create a new certificate and try to bind it which has same parameters, namely the CN value.

To get rid of this problem, either delete this certificate properly from your certificate store and IIS server cache, or (for development purposes only), create a new certificate, but with a different CN value, the command will work.



回答9:

"Official" (not self signed) certificates (e.g. from Thawte) are imported in the certificate store: „Trusted Root Certification Authorities“.
If no parameter "certstorename=" is passed in the netsh command, netsh takes "MY" what represents the "Private" store.
To bind an official certificate, you have to add:

certstorename=Root

to the netsh command.

Full information