Setting the server name name (SNI) unbinds the certificate

Question

Setting the server name name (SNI) unbinds the certificate

I use Microsoft.Web.Administration(inside Wix CustomAction) to configure the server name and bind to an existing server certificate on the IIS 8.5 site.

Turns off, SNI installation unbinds the certificate. The following code will simplify the situation:

using Microsoft.Web.Administration;

var binding = site.Bindings.FirstOrDefault(x => x.IsIPPortHostBinding && x.Host == sitename);

binding.CertificateHash = certificate.GetCertHash();
binding.CertificateStoreName = store.Name;

// this statement is causing the certificate info to get messed up.
binding["sslFlags"] = 1; // or binding.SetAttributeValue("sslFlags", 1);

Results:

FROM binding["sslFlags"] = 1; enter image description here

Without binding["sslFlags"] = 1; enter image description here

Is this a mistake or am I missing something? How can I bind both SNI and certificate?

+2

c # iis-8.5 wix

Mrchief May 29 '15 at 17:49

source share

2 answers

Mrchief · Answer 1 · 2015-05-29T18:11:22+0000

, Microsoft.Web.Administration v7.0 . NuGet, , IIS 7 ( , , IIS 7, 8, , 7, , ).

IIS.Microsoft.Web.Adminstration (, IIS 8.5). .

:

binding.CertificateHash = certificate.GetCertHash();
binding.CertificateStoreName = store.Name;

binding.SslFlags = SslFlags.Sni;  // <<< notice it has helpful enums

Drutten · Answer 2 · 2016-10-13T09:44:31+0000

Microsoft.Web.Administration 7.0.0.0:

public static void CreateSiteHttps(string siteName, string physicalPath)
{
    using (var serverManager = new ServerManager())
    {
        var applicationPool = serverManager.ApplicationPools.Add(siteName);
        applicationPool["startMode"] = "AlwaysRunning";

        var x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        x509Store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);

        var certificate = x509Store.Certificates.Find(X509FindType.FindBySubjectName, "MyCertSubjectName", false)[0];

        var hash = certificate.GetCertHash();

        var site = serverManager.Sites.Add(siteName, $"*:443:{siteName}", physicalPath, hash);
        site.ServerAutoStart = true;
        site.Bindings[0]["sslFlags"] = 1;
        site.ApplicationDefaults.ApplicationPoolName = applicationPool.Name;
        site.ApplicationDefaults.EnabledProtocols = "http,https";

        serverManager.CommitChanges();
    }
}

Setting the server name name (SNI) unbinds the certificate

More articles: