IT:AD:IIS Express:HowTo:Configure SSL [Notes]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
# IT:AD:IIS Express:HowTo:Configure SSL #



<callout type="Navigation" class="small">

* [[../|(UP)]]
{{indexmenu>.#2|nsort tsort}}
* See:
  * [[IT/AD/Certificates/HowTo/]]
  * [[IT/AD/PowerShell/HowTo/Create A Self-Signed Certificate/]]


</callout>


<panel title="Summary">

One advantage of [[IT/AD/IIS Express/]] over Cassini is that it allows for developing using SSL.

Although sometimes one runs into issues.


</panel>


## Process ##

### Setting up SSL for a Project Using Visual Studio

To configure an ASP.NET project -- ASP.MVC or WebAPI -- to use SSL is as follows:

* within Visual Studio
* within the Solutino Explorer
* select the Project
* View its Properties
* set Use SSL=true
* A random 5 number starting with 443 will be assigned to application.
* Restart IIS Express (From tray, Exit) or Visual Studio.

The above changes will persisted as follows:

In the `*.csproj`, will set `Project/PropertyGroup/IISExpressSSLPort` = 443378.

The changes will be persisted within IIS Express' local or shared config file.

<callout icon="true" type="tip">
The location of IIS Express' config file depends on the `UseGlobalApplicationHostFile` setting in the *.csproj file. 

It will either be 
* `$(solutionDir)\.vs\config\applicationhost.config`
* `%userprofile%\Documents\IISExpress\Config\ApplicationHost.config`

</callout>

The values added to the config file will be something like:

<sxh xml>
            <site name="MyApp" id="16">
                <application path="/" applicationPool="Clr4IntegratedAppPool">
                    <virtualDirectory path="/" physicalPath="D:\Blah\MyApp.AppHost" />
                </application>
                <bindings>
                    <!-- the same port cannot be used for both. In IIS (full), for 
                         example, it's usually the defaults of 80 and 443. Here, I'd recommend
                         using 600xx and 443xx -->
                    <binding protocol="http" bindingInformation="*:60011:localhost" />
                    <binding protocol="http" bindingInformation="*:44311:localhost" />
                </bindings>
            </site>
</sxh>

But There's also something else that happens. IIS Express associates the dev cert to the above defined port, in a way that is similar to the following:

<sxh powershell highlight:[6]>
# assuming the thumbprint of the IIS Express cert is ‎c9cd18a22115d5266ed2cad570de8263b541c64f
# and assuming the appid IIS Express uses is always {214124cd-d05b-4309-9af9-9caa44b2b74a}
# assuming the port number is 44311
# remember to escape the curly brackets or it will fail with `The parameter is incorrect.`:

netsh http add sslcert ipport=0.0.0.0:44311 certhash=C9CD18A22115D5266ED2CAD570DE8263B541C64F appid=`{214124cd-d05b-4309-9af9-9caa44b2b74a`}

# if you get an error `Cannot create a file when that file already exists.` then delete the binding and try again.
netsh http delete sslcert ipport=0.0.0.0:44311

</sxh>


### Problems ###

But there are times where the above doesn't work.

For one, Google has stopped accepting Certs of the quality that IIS Express makes by default, and recommended that you make a newself-signed cert (see [[IT/AD/Certificate/HowTo/Create/]]) and install it by hand.

For example, if I were to replace the cert IIS Express gave me (thumbprint: `c9cd18a22115d5266ed2cad570de8263b541c64f`) with a newly generated cert (thumbprint: `284669368c2b55d0e422e2cba0a3c9aaa8a50337`) I can do it in one of the following two ways:

<callout icon="true" type="tip">
It useful to know that IIS Express appears to always use an AppId of `214124cd-d05b-4309-9af9-9caa44b2b74a` (you can see this by invoking `netsh http show sslcert`).
</callout>



<sxh powershell highlight:[9]>
# do *one* site only within :

# always the same appId:
$appId = "`{214124cd-d05b-4309-9af9-9caa44b2b74a`}"
# use mmc.exe to get the thumbprint and notepad.exe to replace the spaces:
$localhostThumbprint = "284669368c2b55d0e422e2cba0a3c9aaa8a50337"
$port = 44311
netsh http delete sslcert ipport=0.0.0.0:$port 
netsh http add sslcert ipport=0.0.0.0:$port certhash=$localhostThumbprint appid=$appId

</sxh>

<sxh powershell highlight:[8]>
# do *every* IISEpress port in one go:

# always the same appId:
$appId = "`{214124cd-d05b-4309-9af9-9caa44b2b74a`}"
# use mmc.exe to get the thumbprint and notepad.exe to replace the spaces:
$localhostThumbprint = "284669368c2b55d0e422e2cba0a3c9aaa8a50337";
For ($port=44300; $port -le 44399; $port++) { netsh http delete sslcert ipport=0.0.0.0:$port }
For ($port=44300; $port -le 44399; $port++) {netsh http add sslcert ipport=0.0.0.0:$port certhash=$localhostThumbprint appid=$appId }

</sxh>


### Chrome 

Chrome can *still* remain difficult.

Type the following into a new tab and restart Chrome:
<sxh>
chrome://flags/#allow-insecure-localhost
</sxh>

## Resources ##

* http://www.hanselman.com/blog/WorkingWithSSLAtDevelopmentTimeIsEasierWithIISExpress.aspx
* http://www.lansweeper.com/kb/54/How-to-configure-SSL-in-IIS-Express.html
* https://stackoverflow.com/questions/43676993/how-do-i-change-my-iis-express-ssl-certificate-for-one-that-will-work-with-chrom
* https://gist.github.com/camieleggermont/5b2971a96e80a658863106b21c479988