The purpose of this article is to demonstrate how to use netsh http commands for SSL Certificate management on Windows machines, specifically the netsh http add sslcert command. Netsh http provides the ability to do other http functions other than certificate management, but those features are out of scope for this article.
Take note that in Powershell you can drop into netsh and then into http by typing each part alone. This is especially useful if you are running multiple netsh http commands.
netsh http update sslcert is another common search term that we want to address here. There is no update sslcert command, but rather the existing installed ssl certificate must first be removed and then added, which we demonstrate in the following examples.
More details on netsh http certificate management functions:
netsh http add sslcert examples
The add sslcert command will bind an SSL certificate to an IP address and port. This is useful when multiple applications are running that need TLS on different ports, as well as a server that is running multiple IP addresses.
To add an ssl certificate using netsh http run the following command:
netsh http add sslcert ipport=0.0.0.0:443 certhash=your_cert_hash appid={00000000-0000-0000-0000-000000000000}
Parameters:
Name | Description |
ipport | Required. The IP address and port the certificate will be applied to. In this case, 0.0.0.0 means any IP address on the machine. This can be separated out by specific IPs and ports. |
certhash | Required. The SHA hash of the certificate in hexadecimal format. Each certificate hash installed on the machine may be displayed by running dir Cert:\LocalMachine\My\ in Powershell. |
appid | Required. The GUID of the application being protected |
certstorename | Optional. The name of the certificate store the certificate is in. The default is MY. |
verifyclientcertrevocation | Optional. Turn on or off certificate revocation checks. |
verifyrevocationwithcachedclientcertonly | Optional. Turn on or off certificate revocation checks for cached client certificates. |
usagecheck | Optional. Turn on or off usage check. Default is on. |
revocationfreshnesstime | Optional. How often to check for an updated Certificate Revocation List (CRL). |
urlretrievaltimeout | Optional. Timeout period for retrieval of CRL. |
sslctlidentifier | Optional. Defines the list of trusted Certification Authorities (CA). This narrows the default list trusted by the OS. |
sslctlstorename | Optional. The certificate store name under LOCAL_MACHINE. |
dsmapperusage | Optional. Turn on or off DS mappers. Default is on. |
clientcertnegotiation | Optional. Turn on or off the negotiation of certificates. Default is off. |
netsh http add sslcert appid is a common search term. The example above demonstrates the purpose and usage of using the appid parameter.
netsh http add sslcert ipport simply is the beginning of the command, specifying the ip address along with the port as demonstrated in the example above.
netsh http add sslcert hostnameport is another common search term. While it is recommended to use the ipport instead of the hostnameport parameter, both are available options for binding the certificate to a specific hostname or IP address along with the port.
netsh http add sslcert the parameter is incorrect – If you get an error message stating the parameter is incorrect you should double check the syntax of your parameters and values. If that still doesn’t work, try dropping into the netsh http prompt and then running add sslcert with the same parameters to fix the issue.
Conclusion
This article has demonstrated how to use netsh to add an SSL certificate to an IP, port, and application on a Windows machine. Let us know in the comments if you have any questions or would like to see additional examples.
Leave a Reply