I am currently building an ASP.Net MVC 3 eccomerce app that uses IIS Express for my development server.
As we are accepting payments via the app we need to enforce SSL connections for the checkout process.
After following Scott Hanselman's well written article on how to set up self signed SSL certificates for use with IIS Express, I can access my site via both:
This is all gravy, until I restart. It seems that each time I restart (for whatever reason) I need to run the following commands again:
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash=<thumbprint from Certificate Manager>
I have tried exporting and importing the generated certificate, as well as dragging the certificate from the Personal Store to the Trusted Root Certification Authorities. Both to no avail.
Does anyone have any ideas?
A few comments.
First, you can get to the IIS Express thumbprint without using the MMC by using the following command:
powershell -command "& {get-childitem -path cert:\localmachine\my | where-object {$.FriendlyName -match 'IIS Express Development Certificate'} | % { $.Thumbprint}}"
As explained in http://msdn.microsoft.com/en-us/library/ms733791.aspx , you use the thumbprint in the command to netsh. You can use the above powershell technique to construct the correct netsh command for your particular installation of IIS Express.
Let's add to the above command and have it output the correct netsh command for port 443:
powershell -command "& {get-childitem -path cert:\localmachine\my | where-object {$.FriendlyName -match 'IIS Express Development Certificate'} | % { 'netsh http add sslcert ipport=0.0.0.0:443 appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash='+$.Thumbprint}}"
This will display the full netsh command that you should use. You can copy / paste it and invoke it yourself. You can also add ** | cmd.exe** to the above command to invoke it automatically. Let's do that. Below is the above PowerShell command ready for you to copy / paste into an Admin Command prompt to set bind the local 443 port to the local IIS Express certificate:
powershell -command "& {get-childitem -path cert:\localmachine\my | where-object {$.FriendlyName -match 'IIS Express Development Certificate'} | % { 'netsh http add sslcert ipport=0.0.0.0:443 appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash='+$.Thumbprint}}" | cmd.exe
Below is a PowerShell script that can remove the existing certificate, then create and bind a new self-signed certificate to IIS 8.0 Express. The PowerShell you launch to run it must use Run as Administrator. I use it to increase my key size from the default of 1024-bit to 4096-bit.
This problem is mentioned by a few people in the comments on http://www.hanselman.com/blog/WorkingWithSSLAtDevelopmentTimeIsEasierWithIISExpress.aspx
The final comment is:
Did you import certificate to currentuser or LocalMachine store? It looks like if you import certificate to CurrentUser store this problem would arise. Take a look at the following thread http://social.msdn.microsoft.com/Forums/en/wcf/thread/9e560c64-c53a-4de5-80d5-d2231ba8bcb1