[This is preliminary documentation and subject to change]
A new COM object, IISCertObj, allows you to use scripts to manage certificates remotely and programmatically. With IISCertObj you can:
This topic contains the following subjects:
To learn about obtaining SSL server certificates, see Obtaining a Server Certificate.
This section lists the IISCertObj properties and methods supported in IIS 6.0.
Properties should be set before calling methods. Methods will return an error message if the required properties for that method are not available when the method is called.
The following properties are used to generate certificate requests.
ServerName
The ServerName property contains the name of the computer on which certificate operations are executed.
| Attribute Name | Attribute Value |
| Data Type | String |
UserName
The UserName property allows you to specify the username used for logon to the remote machine. If UserName is empty, the credentials of the currently logged on user are used. To install a certificate into a remote certificate store, the user must have administrator privileges on the remote machine.
| Attribute Name | Attribute Value |
| Data Type | String |
UserPassword
The UserPassword property allows you to specify the password used for logon to the remote machine.
| Attribute Name | Attribute Value |
| Data Type | String |
InstanceName
The InstanceName property identifies the targeted metabase instance. W3svc/1 is an example.
| Attribute Name | Attribute Value |
| Data Type | String |
Export
The Export method exports a copy of a certificate to a file. The target file may be on the local computer or on a remote computer.
Export(FileName, Password, bPrivateKey, bCertChain, bRemoveCert)
The Export method requires the following parameters:
| Name | Data Type | Description |
| FileName | String | Specifies the name of the targeted file. Example is c:\mydir\mycert.pfx |
| Password | String | Contains the password used to secure the file specified as Filename. |
| bPrivateKey | Boolean | Specifies that the private key is exported (true) or not exported (false). |
| bCertChain | Boolean | Specifies that the certificate trust chain is to be exported (true) or not exported (false). |
| bRemoveCert | Boolean | Specifies that the binding of a certificate will be removed (true) or not removed (false). |
Import
The Import method imports a copy of a certificate from a file to the local computer or a remote computer.
Import(FileName, Password)
The Import method requires the following parameters:
| Name | Data Type | Description |
| FileName | String | Specifies the name of the certficate file to import. |
| Password | String | Contains the password used to secure the file specified as Filename. |
Move
The Move method allows you to move a certificate from one instance of IIS to another, and from one computer to another.
Move (DestinationServerName, DestinationServerInstance, DestinationServerUserName, DestinationServerPassword)
The Move method uses the following parameters:
| Name | Data Type | Description |
| DestinationServerName | String | Identifies the servers to which the certificate will be moved. |
| DestinationServer Instance | String | Identifies the IIS metabase instance at which the certificate will be pointed. Example is w3svc/1. |
| DestinationServerUserName | String | Optional username for the destination server. In empty, the currently logged on username will be used. |
| DestinationServer Password | String | Password for the destination server when DestinationServerUserName is used. |
Copy
The Copy method allows you to copy a certificate from one instance of IIS to another, and from one computer to another.
Copy (DestinationServerName, DestinationServerInstance, DestinationServerUserName, DestinationServerPassword)
The Copy method uses the following parameters:
| Name | Data Type | Description |
| DestinationServerName | String | Identifies the servers to which the certificate will be moved. |
| DestinationServer Instance | String | Identifies the IIS metabase instance at which the certificate will be pointed. Example is w3svc/1. |
| DestinationServerUserName | String | Optional username for the destination server. In empty, the currently logged on username will be used. |
| DestinationServer Password | String | Password for the destination server when DestinationServerUserName is used. |
IsInstalled
The IsInstalled method allows you to determine whether or not a certificate is installed on a computer specified by the ServerName property.
IsInstalled(InstanceName)
The IsInstalled method uses the following parameters:
| Name | Data Type | Description |
| InstanceName | String | Identifies the IIS metabase instance to check for an installed certificate. Example is w3svc/1. |
After acquiring a SSL server certificate from a certificate authority, distributing copies to all the servers requires one or more of the following steps:
In IIS 6.0, using Windows Script Host (WSH) or Activke SErver Pages (ASP), you can execute scripts that communicate with IISCertObj, programmatically importing, archiving, and exporting certificates.
Large sites often need to use one SSL certificate for secure user logon to multiple servers. It would be very time-consuming to use the MMC snap-in to add copies of the certificate to each server. What you need is a scripted solution that installs copies of the same certificate to all the targeted servers.
Save the following script as CertImport.vbs. Modify the command-line statement arguments to match your network resources. Then use the command-line statement to import a certificate from a certificate store on one server to other servers that require it.
Option Explicit
Dim iiscertobj, pfxfile, pfxfilepassword, InstanceName, WebFarmServers, IISServer
Set iiscertobj = WScript.CreateObject("IIS.CertObj")
pfxfile = WScript.Arguments(0)
pfxfilepassword = WScript.Arguments(1)
InstanceName = WScript.Arguments(2)
WebFarmServers = split(WScript.Arguments(3), ",")
iiscertobj.UserName = WScript.Arguments(4)
iiscertobj.UserPassword = WScript.Arguments(5)
For Each IISServer in WebFarmServers
iiscertobj.ServerName = IISServer
iiscertobj.InstanceName = InstanceName
iiscertobj.Import pfxfile, InstanceName, pfxfilepassword
Next
Command-line statement:
Certimport.vbs cert.pfx pfxpassword w3svc/1 iisserver1,iisserver2,iisserver3 Administrator aal34290
Using the IISCertObj export method, you can archive a backup of each certificate on your server farm to a central site.
Save the following script as Save_all_certs.vbs in your text editor. Modify the command-line statement arguments to match your network resources. Then use the command-line statement to export copies of certificates to the central site.
Option Explicit
Dim iiscertobj, targetServer, targetServers, pfxbasename, pfxpassword, InstanceName
Set iiscertobj = WScript.CreateObject("IIS.CertObj")
pfxbasename = WScript.Arguments(0)
pfxpassword = WScript.Arguments(1)
InstanceName = WScript.Arguments(2)
targetServers = split(WScript.Arguments(3), ",")
iiscertobj.UserName = WScript.Arguments(4)
iiscertobj.UserPassword = WScript.Arguments(5)
iiscertobj.InstanceName = InstanceName
For Each targetServer in targetServers
iiscertobj.ServerName = targetServer
iiscertobj.Export pfxbasename + targetServer + ".pfx", InstanceName, pfxpassword, true, false, false
Next
Command-line statement:
Save_all_certs.vbs certbackup adsf-0324 w3svc/1 iisserver2,iisserver3,iisserver4 Administrator aal34290
The script and command-line statement below will allow you to use the copy method of IISCertObj to copy a certificate to the new server added to a server farm.
Save the script below as certcopy.vbs. Modify the command-line statement arguments to match your network resources. Then run the command-line statement.
Dim iiscertobj, targetServer, targetServers, targetInstance
Set iiscertobj = WScript.CreateObject("IIS.CertObj")
iiscertobj.ServerName = WScript.Arguments(0)
iiscertobj.Instancename = WScript.Arguments(1)
targetServers = split(WScript.Arguments(2), ",")
targetInstance = WScript.Arguments(3))
iiscertobj.UserName = WScript.Arguments(4)
iiscertobj.UserPassword = WScript.Arguments(5)
For Each targetServer in targetServers
iiscertobj.Copy targetServer, targetInstance
Next
Command-line statement:
Certcopy.vbs iisServer1 w3svc/1 iisServer2 w3svc/1 Administrator asdf-0324