Skip to content
This repository was archived by the owner on Aug 30, 2022. It is now read-only.

Configuring SSL Support on Windows

Jump to bottom
Joel Christner edited this page Jun 1, 2020 · 5 revisions

Configuring SSL support on Windows requires several steps, each of which are documented here.

Install the SSL Certificate

Once you have your .CER file, open the MMC and add the Certificate Manager snap-in for both the Computer account and for the My User Account. Under each, right-click 'Certificates' under 'Personal', then click Import. Import the certificate into both locations.

Gather the Certificate Thumbprint

Once the certificate is installed and visible in Certificate Manager, double-click the certificate and go to the Details tab. Scroll down to 'Thumbprint' and left-click it. We will need this value, but the properties window often embeds special characters in it, hidden from view, that cause netsh commands to fail.

As a result, I like to manually type in the first two characters and the last two characters of the thumbprint into Notepad, and then copy and paste the rest (after copying from the Thumbprint in the properties window), and then removing all whitespace.

Then execute the following command:

C:\Users\Administrator>netsh http add sslcert ipport="0.0.0.0:443" certhash="[thumbprint]" appid="{00000000-0000-0000-0000-000000000000}" certstore=My

If you supply 0.0.0.0 it will allow the request to come in on any IP address. Replace 0.0.0.0:443 with the IP and port you are using if necessary. Replace [thumbprint] with the actual certificate thumbprint. The appid value is arbitrary and any GUID will do.

Verify Certificate Installation

From the Command Prompt, type netsh http show sslcert to verify that your certificate is installed. The output will appear as follows:

C:\Users\Administrator>netsh http show sslcert

SSL Certificate bindings:
-------------------------

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : d0013e91aab93f437a4443b13e6d18bd60f0279c
    Application ID               : {00112233-4455-6677-8899-aabbccddeeff}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

Check for Existing Bindings

If a binding exists for the port which you wish to use, you must first delete it. Check your existing bindings using:

C:\Users\Administrator>netsh http show urlacl

URL Reservations:
-----------------
    Reserved URL            : https://host.domain.com:443/
        User: \Everyone
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;WD)

To delete a pre-existing binding, use:

C:\Users\Administrator> netsh http delete urlacl url=https://host.domain.com:443/

Add the Binding

Now add the binding. It is generally best to use a specific hostname in the URL rather than +.

C:\Users\Administrator> netsh http add urlacl url=https://host.domain.com:443/ user=everyone listen=yes

Configure the Node

Modify the System.json file to enable SSL using Server.Ssl and ensure the Server.Port value matches that of the binding. The HTTP server will rely on certificates as installed in the operating system.

Verification

Now, start Kvpbase. In your browser, access the home page using https://[hostname]:[port]/.

Clone this wiki locally