Another thing to be aware of is that copy/paste the certificate hash from MMC console certificate property window, may also bring a funny char at the start of the hash. You won't see it because this char is INVISIBLE in the UTF-8 encoding your text editor is likely using!

Netsh does not help as it just keeps failing with "the parameter is incorrect" without disclosing which parameter ;)

Changing the encoding to ANSI shows the char, delete it and it'll work like a charm

I noticed the following in your question. It may not solve the original issue, but the syntax here isn't correct.

PS C:\> netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Bad numeric constant: 224.
At line:1 char:104
+ netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={001 <<<< 12233-4455-6677-8899-AABBCCDDEEFF}
+ CategoryInfo          : ParserError: (224:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : BadNumericConstant

Use this instead (with appid in a single quote '{}'):

netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid='{00112233-4455-6677-8899-AABBCCDDEEFF}'

I have found 4 possible causes for error 1312 in my port bindings:

• The SSL cert is corrupt - you need to delete from the cert store and re-add.
• The SSL cert is lacking a private key - you need to delete from the cert store and re-add the full public/private cert, or otherwise attach the private key to your certificate.
• If installing on a pre-SP1 version of 2012R2, you may need KB 981506.
• You may have added the SSL cert to your user store, and not the local machine cert store - delete from the user store and add to the machine store.

Actually it has nothing to do with refresh. I have wasted so much time with the same issue. If you do a fresh install you will not run across this problem, but problem will occur if you try to:

 1. Import same certificate again
 2. You create a new certificate and try to bind it which has same parameters, namely the CN value.

To get rid of this problem, either delete this certificate properly from your certificate store and IIS server cache, or (for development purposes only), create a new certificate, but with a different CN value, the command will work.

The source of the error is that I have taken the ThumbPrint directly from the certificate file of signroot.cert, which is created from the first makecert command needed for creating "Trusted Root Certification Authorities", which is used again to really create(and install) the self-sigend trusted certificate in the second makecert command.

The second makecert command also install the created certificates in the "Certificates (Local Computer) -> Personal -> Certificates node." One has to refresh the currently open MMC again to see the "localhost" certificate and the ThumbPrint need to be taken from this certificates but not from signroot.cert.

If it is still not the case, one might need to install this hotfix from M$. http://support.microsoft.com/kb/981506

ref : http://social.technet.microsoft.com/Forums/en/winservergen/thread/68452008-a89b-40ba-9927-472efcfafc99

The key for me was to ditch using IE to do the import which is what I normally do/did.

Use mmc.exe, File->Add/Remove Snap-in and add "Certificates". Manage for Computer account and then "Local computer".

Import the root certificate into Certificates (Local Computer)/Trusted Root Certification Authorities/Certificates.

Import the client certificate into Personal/Certificates and then do the netsh http add sslcert.