Replace tls cert using commandline (netsh)
TLS endpoints on windows are often served by the operating system itself. Related certificate bindings can be managed using the command line easily. This guide shows how to replace a certificate using the commandline.
Many applications are using http.sys or similar to terminate http traffic on windows. Examples for this applications are Microsoft Exchange, Windows Admin Center, IIS, Remotedesktopgateway and so on. When doing this, tls certificates can be managed using netsh http.
Most applications offer comprehensive ways to replace a certificate. In case it's not accessible easy, you can directly replace the binding on the command line.
Show bindings
To get a list of currently known HTTP TLS bindings, use netsh http show sslcert.
netsh http show sslcert
SSL-Zertifikatbindungen:
-------------------------
IP:Port : 0.0.0.0:443
Zertifikathash : 0665ad01d1f07ae0a2d87ee3dde3b948b5a64142
Anwendungs-ID : {3c0c6470-144f-4b6f-8cba-e174605bf5e2}
Zertifikatspeichername : (null)
Clientzertifikatsperre überprüfen : Enabled
Zur Sperrüberprüfung ausschließlich zwischengespeichertes Clientzertifikat verwenden : Disabled
Verwendungsüberprüfung : Enabled
...Change certificate
In order to change a certificate you remove the old binding and add a new one.
Before replacing the certificate, we need to retrieve the thumbprint of the new certificate. Using powershell that's really easy.
Get-ChildItem Cert:\LocalMachine\My\Nest step is to replace the certificate
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=0665AD01D1F07AE0A2D87EE3DDE3B948B5A64142 appid="{3c0c6470-144f-4b6f-8cba-e174605bf5e2}"(When doing this on powershell, be sure to put the appid parameter in quotes, otherwise the brackets will cause an issue parsing the command)
