Changing the default self-signed certificate for a Website in WebMatrix

When you install WebMatrix, it does a couple of tasks in the background with respect to SSL, even before you create a website in WebMatrix:

  • Creates a self-signed certificate, with ‘localhost-iisexpress’ as common name. This certificate is valid for 10 years and gets installed in local computer’s account store commonly known as “My”.
  • Configures http.sys for ports 44300-44399 to allow SSL connections for the websites hosted on WebMatrix. WebMatrix will use port 44300 for https for first site and so on. To allow SSL browsing for a site, http.sys should know the IP-Port combination, certificate hash to be used and AppID to identify the application with the binding later. Certificate hash is used from the certificate created in step 1 and WebMatrix uses {214124cd-d05b-4309-9af9-9caa44b2b74a} as the Appid.

You can add an ip:port to specify whatever port you want for http.sys, but to make one of the WebMatrix sites use that port you would need to manually put the binding in the applicationHost.config. You could use use httpcfg (WinXP/Win2K3) or netsh (WinVista, Win2K8, Win7) for the same. You could also change the default certificate with any other certificate whose Intended purpose is “Server Authentication”.

Steps to change the certificate:

  • Get the certificate and install it in the computer’s account store.
  • Get Certificate Hash (Thumbprint) of the certificate. You could find it in the details tab when you view the certificate. Remove all spaces from this hash, so this hash will be a single string without spaces (d7647e15a698c035e4cd33c118b4dfb5ebfa1b65 in this case)

         

  • Get the AppID/Guid of the application. This is an arbitrary GUID used to identify the application and allows us to identify the binding later.
    • netsh http show sslcert
    • httpcfg query ssl

You could use the AppID shown above. It will be the same in case of WebMatrix websites.

  • Delete the existing entry for port 44300 (or for the port for which you want to modify the port and/or certificate)
    • netsh http delete sslcert ipport=<IP:Port>   Eg: netsh http delete sslcert ipport=0.0.0.0:44300
    • httpcfg delete ssl /i <IP:Port>   Eg: httpcfg delete ssl /i 0.0.0.0:44300
  • Add the new entry for the port you want to use and the certificate hash for the certificate to be used. We got certhash from step 2 and appid from step 3 above. With add sslcert command, ipport, certhash and appid are required parameter and anyone of these could not be omitted. You could find more information on netsh usage here.
    • netsh http add sslcert ipport=<IP:Port> certhash=<certhash> appid=<appid>   Eg: netsh http add sslcert ipport=0.0.0.0:443 certhash= d7647e15a698c035e4cd33c118b4dfb5ebfa1b65 appid={214124cd-d05b-4309-9af9-9caa44b2b74a}
    • httpcfg set ssl /i <IP:Port> /h <certhash> /g <appid>   Eg: httpcgf set ssl /i 0.0.0.0:443 /h d7647e15a698c035e4cd33c118b4dfb5ebfa1b65 /g {214124cd-d05b-4309-9af9-9caa44b2b74a}

NOTE: This is the general method of configuring http.sys for allowing SSL connection for your website and does not restrict to the websites on WebMatrix/IIS Developer Express.

No Comments