SSL Server Certificate Management

Before IIS 6.0, the only standard way to manage SSL server certificates was through the user interface on each computer, making it difficult to manage server certificates remotely or programmatically. In IIS 6.0, a new COM object, IISCertObj, allows you to use scripts with Windows Scripting Host (WSH) to:

Import copies of a certificate from a .PFX file (a file containing a PFX-encrypted certificate and a private key) on one computer to other computers.
Save backups of certificates on a central site.
Copy a certificate from one computer to another.

This topic uncludes:

Scenarios and Script Samples
IISCertObj Component Properties and Methods

To learn about obtaining server certificates, see Obtaining a Server Certificate.

Scenarios and Script Samples

Suppose you are managing a multiple-server network. To acquire SSL server certificates and install and implement copies of the certificates on all the servers requires the following steps.

Acquire a certificate from a certificate authority (CA).
Import copies of master certificates onto multiple servers.
Save backup copies of certificates in a central archive.
Export certificates across multiple servers.

Using WSH on IIS 6.0, you can execute scripts to communicate with IISCertObj, programmatically importing, archiving, and exporting certificates.

Scenario 1: Importing Certificates to Multiple Servers

Suppose you needed to use SSL for secure user logon to 100 or more servers. Further, you require all of the servers to use copies of the same SSL certificate. It would be awkward and very time-consuming to use the MMC snap-in to add these copies to each server. What you need is a scripted solution that installs copies of the same certificate to the entire server farm.

Save the following script as Certimport.vbs. Modify the command-line statement arguments to match your network resources. Then use the command-line statement to import a certificate from a certificate store on one server to other servers that require it.

Sample script (Certimport.vbs):

  dim iiscertobj
  set iiscertobj = WScript.CreateObject("IIS.IISCertObj")
  dim pfxfile : pfxfile = WScript.Arguments(1)
  dim pfxfilepassword : pfxfilepassword = WScript.Arguments(2)
  iiscertobj.Instancename = WScript.Arguments(3)
  iiscertobj.UserName = WScript.Arguments(5)
  iiscertobj.UserPassword = WScript.Arguments(6)

  'delimited list of servers
  dim WebFarmServers = split(",", WScript.Arguments(4))

  for each IISServer in WebFarmServer
    iiscertobj.ServerName = IISServer
    iiscertobj.Import pfxfile, pfxfilepassword
  next

Command line statement:

Certimport.vbs cert.pfx pfxpwd101 1 iisserver1,iisserver2,iisserver3
pfxword101 Administrator aal34290

Scenario 2: Save Certificates in a Central Archive

Suppose you are managing a server farm with many different SSL certificates. Using the IISCertObj export method, you can archive a backup of each certificate on your server farm to a central site.

Save the following script as Save_all_certs.vbs in your text editor. Modify the command-line statement arguments to match your network resources. Then use the command-line statement to export copies of certificates to the central site.

Sample script (Save_all_certs.vbs):

  dim iiscertobj, targetServer, targetServers, pfxbasename
  set iiscertobj = WScript.CreateObject("IIS.IISCertObj")
  pfxbasename = WScript.Arguments(1)
  pfxpassword = WScript.Arguments(1)
  iiscertobj.Instancename = WScript.Arguments(3)
  targetServers = split(",", WScript.Arguments(4)
  iiscertobj.UserName = WScript.Arguments(5)
  iiscertobj.UserPassword = WScript.Arguments(6)

  for each targetServer in targetServers
    iiscertobj.ServerName = targetServer
    iiscertobj.Export pfxbasename + targetServer + ".pfx, _
        pfxpassword, true, true, false
  next

Command line statement:

Save_all_certs.vbs certbackup adsf-0324 1 iisserver2,iisserver3,iisserver4

Scenario 3: Copy a Certificate from an Existing Server to a New Server

Suppose you add a server to your server farm, install Windows Server and IIS. The script and command-line statement below will allow you to use the copy method of IISCertObj to copy a certificate to the new server. Save the script below as certcopy.vbs. Modify the command-line statement arguments to match your network resources. Then run the command-line statement.

Sample script (certcopy.vbs):

  dim iiscertobj, targetServer, targetServers, targetInstance
  set iiscertobj = WScript.CreateObject("IIS.IISCertObj")
  iiscertobj.ServerName = WScript.Arguments(1)
  iiscertobj.Instancename = WScript.Arguments(2)
  targetServers = split(",", WScript.Arguments(3))
  targetInstance = WScript.Arguments(4))
  iiscertobj.UserName = WScript.Arguments(5)
  iiscertobj.UserPassword = WScript.Arguments(6)

  for each targetServer in targetServers
    iiscertobj.Copy = targetServer, targetInstance
    iiscertobj.Import pfxfile, pfxfilepassword
  next

Command line statement:

Certcopy.vbs iisServer1 1 iisServer2 1 Administrator asdf-0324

IISCertObj Properties and Methods

This section lists the IISCertObj properties and methods supported in IIS 6.0.

Properties

Properties should be set before calling methods. Methods will return an error message if the required properties for that method are not available when the method is called.

The following properties are used to generate certificate requests.

ServerName ServerName is the name of the computer on which the certificate operations are executed.

HRESULT ServerName ([in] BSTR newVal);

UserName The UserName property allows you to specify the username used for logon to the remote machine. If UserName is empty, the credentials of the currently logged on user are used. To install a certificate into a remote certificate store, the user must have administrator privileges on the remote machine.

HRESULT UserName ([in] BSTR newVal);

UserPassword The UserPassword property allows you to specify the password used for logon to the remote machine.

HRESULT UserPassword ([in] BSTR newVal);

InstanceName Identifies the targeted instance of IIS.

HRESULT InstanceName ([in] BSTR newVal);

Methods

Export The Export method exports a copy of a certificate to a file. The target file may be on the local computer or on a remote computer.

HRESULT Export(BSTR FileName, BSTR Password, BSTR Password, _
BOOL bPrivateKey, BOOL bCertChain, BOOL bRemoveCert);

The Export method requires the following parameters:

FileName Specifies the name of the targeted file.
Password Contains the password used to secure the file specified as FileName.
bPrivateKey Specifies that the private key is exported (true) or not exported (false).
bCertChain Specifies that the certificate trust chain is to be exported (true) or not exported (false).
bRemoveCert Specifies that the binding of a certificate will be removed (true) or note removed (false).

Move The Move method allows you to move a certificate from one instance of IIS to another, and from from one computer to another.

    HRESULT Import(BSTR DestinationServerName, BSTR DestinationServerInstance, _
            [optional] BSTR DestinationServer UserName, _
            [optional] BSTR DestinationServer Password);

The Move method uses the following parameters:

DestinationServerName Identiifies the server to which the certificate will me moved.
DestinationServerInstance Identifies the instance of IIS to which the certificate will be pointed.
DestinationServerUserName Optional username for the destination server. If empty, the username of the currently logged on user is used.
DestinationServerPassword Optional password for the destination server when DestinationServerUserName is used.

Copy The Copy method allows you to copy a certificate from one instance of IIS to another, and from one computer to another.

    HRESULT Copy(BSTR DestinationServerName, BSTR DestinationServerInstance, _
            [optional] BSTR DestinationServer UserName, _
            [optional] BSTR DestinationServer Password);

The Copy method uses the following parameters:

DestinationServerName Identiifies the server to which the certificate will me moved.
DestinationServerInstance Identifies the instance of IIS to which the certificate will be pointed.
DestinationServerUserName Optional username for the destination server. If empty, the username of the currently logged on user is used.
DestinationServerPassword Optional password for the destination server when DestinationServerUserName is used.

IsInstalled The IsInstalled allows you to determine whether or not a certificate is installed on a computer specified by the ServerName property.

HRESULT IsInstalled(BSTR InstanceName, VARIANT_BOOL * retval)

The IsInstalled method uses the following parameters:

InstanceName Identifies the IIS instance to check for and installed certificate.