Skip to main content

Assign an existing certificate to your IIS website with WiX - Part 2 (PowerShell version)

In my previous post I explained how to assign an existing certificate with a custom action. Because of all kind of IIS Manager related failures I had on my work with this solution I did some research and constructed a version based on the usage of a PowerShell step within the WiX installer.

PowerShellWixExtension

In this new scenario I use the PowerShellWixExtension written by David Gardiner which I found on GitHub. To use this extension you have to add a reference to the PowerShellWixExtension.dll in your WiX Setup project. I added this reference with the published NuGet package. Search for PowershellWixExtension in the store. The further steps to use this library are documented on the GitHub page.

PowerShell script

Add to your WiX setup project a PowerShell file name Add-ExistingCertificateToBinding.ps1 which will contain the steps to find and add the certificate to an existing IIS binding.

Add the below PowerShell code to this file.
param (
    [Parameter(Mandatory = $False, HelpMessage = "The name of the IIS site.")]
    [string] $siteName = "Default Web Site",

    [Parameter(Mandatory = $False, HelpMessage = "The IP address which the IIS binding uses.")]
    [string] $ip,

    [Parameter(Mandatory = $False, HelpMessage = "The port number which the IIS binding uses.")]
    [string] $port = 443,

    [Parameter(Mandatory = $False, HelpMessage = "The host name which the IIS binding uses.")]
    [string] $hostname,

    [Parameter(Mandatory = $True, HelpMessage = "The common name of the client certificate to use..")]
    [string] $certificateCommonName
)

function Execute-WithRetry([ScriptBlock] $command) {
    $attemptCount = 0
    $operationIncomplete = $true
    $maxFailures = 5
    $sleepBetweenFailures = 1

    while ($operationIncomplete -and $attemptCount -lt $maxFailures) {
        $attemptCount = ($attemptCount + 1)

        if ($attemptCount -ge 2) {
            Write-Host "Waiting for $sleepBetweenFailures seconds before retrying..."
            Start-Sleep -s $sleepBetweenFailures
            Write-Host "Retrying..."
        }

        try {
            # Call the script block
            & $command

            $operationIncomplete = $false
        }
        catch [System.Exception] {
            if ($attemptCount -lt ($maxFailures)) {
                Write-Host ("Attempt $attemptCount of $maxFailures failed: " + $_.Exception.Message)
            }
            else {
                throw
            }
        }
    }
}

function Ensure-IISAdministration {
    [CmdletBinding()]
    param ()

    $version = "1.1.0.0"

    if (-not (Get-Module IISAdministration -ListAvailable | Where-Object { $_.Version -eq $version })) {
        Install-Module IISAdministration -RequiredVersion $version -Scope AllUsers -Force
        Write-Host "IISAdministration version '$version' installed on machine."
    }
}

function Get-ClientCertificate {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $True)]
        [string] $CommonName
    )

    $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject.StartsWith("CN=$CommonName") })

    $now = Get-Date
    $validCertificate = $null
    $notAfter = $now

    foreach ($certificate in $certificates) {
        if ($certificate.NotBefore -le $now -and $certificate.NotAfter -ge $notAfter) {
            $validCertificate = $certificate
        }
    }

    Write-Verbose ("Found valid certificate '{0}' with expiration date '{1}'." -f $validCertificate.Subject, $validCertificate.NotAfter)

    return $validCertificate
}

function Add-ExistingCertificateToBinding {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $False, HelpMessage = "The name of the IIS site.")]
        [string] $siteName = "Default Web Site",

        [Parameter(Mandatory = $False, HelpMessage = "The IP address which the IIS binding uses.")]
        [string] $ip,

        [Parameter(Mandatory = $False, HelpMessage = "The port number which the IIS binding uses.")]
        [string] $port = 443,

        [Parameter(Mandatory = $False, HelpMessage = "The host name which the IIS binding uses.")]
        [string] $hostname,

        [Parameter(Mandatory = $True, HelpMessage = "The common name of the client certificate to use..")]
        [string] $certificateCommonName
    )

    Ensure-IISAdministration

    if ($ip -eq "*") {
        $ip = $null
    }

    $bindingInformation = $ip + ":" + $port + ":" + $hostname

    $certificate = Get-ClientCertificate -CommonName $certificateCommonName

    if ($certificate -eq $null) {
        Throw "Certificate '$certificateCommonName' not found on server '$ENV:COMPUTERNAME'."
    }

    $binding = Get-IISSiteBinding -Name $siteName -BindingInformation $bindingInformation

    $sslFlag = "None"

    if ($Hostname) {
        $sslFlag = "Sni"
    }

    if ($binding -eq $null) {
        Execute-WithRetry {
            New-IISSiteBinding -Name $siteName -BindingInformation $bindingInformation -Protocol https -CertificateThumbPrint $certificate.Thumbprint -SslFlag $sslFlag -CertStoreLocation Cert:\LocalMachine\My
        }

        Write-Host ("Added web site binding '{0}' to IIS website '{1}'." -f $bindingInformation, $siteName)
    }
    else {
        Execute-WithRetry {
            Remove-IISSiteBinding -Name $siteName -BindingInformation $bindingInformation -Protocol https -RemoveConfigOnly -Confirm:$False
            New-IISSiteBinding -Name $siteName -BindingInformation $bindingInformation -Protocol https -CertificateThumbPrint $certificate.Thumbprint -SslFlag $sslFlag -CertStoreLocation Cert:\LocalMachine\My
        }

        Write-Host ("Modified existing web site binding '{0}' for IIS website '{1}'." -f $bindingInformation, $siteName)
    }
}

Add-ExistingCertificateToBinding -siteName $siteName -ip $ip -port $port -hostname $hostname -certificateCommonName $certificateCommonName

WiX configuration

In the WiX file we have to call this PowerShell function and pass the necessary parameters.
<!-- Add existing client certificate to HTTPS binding -->
<powershell:File Id="AddExistingCertificateToBindingAction"
                 File="[#AddExistingCertificateToBinding]"
                 Arguments="-siteName "[WEBSITE_DESCRIPTION]" -ip "[WEBSITE_BINDING_IP]" -port "[WEBSITE_BINDING_PORT]" -hostName "[WEBSITE_BINDING_URL]" -certificateCommonName "[CERTIFICATE_COMMON_NAME]"" />
We also have to instruct the WIX installer to execute this step after the install is finalized.
<InstallExecuteSequence>
  <Custom Action="PowerShellFilesDeferred" Before="InstallFinalize">NOT Installed</Custom>
</InstallExecuteSequence>

Comments

Popular posts from this blog

CS8357: The specified version string contains wildcards, which are not compatible with determinism.

Today I was busy with creating a WCF service solution in Visual Studio Enterprise 2017 (15.9.2). In this solution I use a few C# class libraries based on .NET 4.7.2. When I compiled the solution I got this error message: Error CS8357: The specified version string contains wildcards, which are not compatible with determinism. Either remove wildcards from the version string, or disable determinism for this compilation The error message is linking to my AssemblyInfo.cs file of the Class library projects. In all the projects of this solution I use the wildcard notation for generating build and revision numbers. // Version information for an assembly consists of the following four values: // // Major Version // Minor Version // Build Number // Revision // // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] [assembly: AssemblyVersion("1.0....

Fixing HTTP Error 401.2 unauthorized on local IIS

Sometimes the Windows Authentication got broken on IIS servers so you cannot log in locally on the server. In that case you get the dreadfully error message HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers. To fix this issue you can repair the Windows Authentication feature with the following PowerShell commands: Remove-WindowsFeature Web-Windows-Auth Add-WindowsFeature Web-Windows-Auth

Assign an existing certificate to your IIS website with WiX

Recently I had to change the bindings of existing IIS hosted websites and APIs from HTTP to HTTPS. They are installed with a MSI file created with the WiX Toolset . Because I have to use an already on the server installed certificate I cannot use the Certificate element from the IIS Extension because this element only supports installing and uninstalling certificates based on PFX files. After doing some research I found the blog article Assign Certificate (Set HTTPS Binding certificate) to IIS website from Wix Installer which described the usage of Custom Actions for this purpose. I adopted this approach and rewrote the code for my scenario. With WiX I still create the website. <iis:WebSite Id="WebSite" ConfigureIfExists="yes" AutoStart="yes" Description="MyWebsite" Directory="IISROOT" StartOnInstall="yes"> <iis:WebAddress Id="WebSite...