You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Replace tls cert using commandline (netsh)

TLS endpoints on windows are often served by the operating system itself. Related certificate bindings can be managed using the command line easily. This guide shows how to replace a certificate using the commandline.

Daniel Nachtrub
Daniel Nachtrub

Many applications are using http.sys or similar to terminate http traffic on windows. Examples for this applications are Microsoft Exchange, Windows Admin Center, IIS, Remotedesktopgateway and so on. When doing this, tls certificates can be managed using netsh http.

Most applications offer comprehensive ways to replace a certificate. In case it's not accessible easy, you can directly replace the binding on the command line.

Show bindings

To get a list of currently known HTTP TLS bindings, use netsh http show sslcert.

netsh http show sslcert

SSL-Zertifikatbindungen:
-------------------------
IP:Port                      : 0.0.0.0:443
Zertifikathash              : 0665ad01d1f07ae0a2d87ee3dde3b948b5a64142
Anwendungs-ID               : {3c0c6470-144f-4b6f-8cba-e174605bf5e2}
Zertifikatspeichername       : (null)
Clientzertifikatsperre überprüfen : Enabled
Zur Sperrüberprüfung ausschließlich zwischengespeichertes Clientzertifikat verwenden : Disabled
Verwendungsüberprüfung                  : Enabled
...
current bindings

Change certificate

In order to change a certificate you remove the old binding and add a new one.

Before replacing the certificate, we need to retrieve the thumbprint of the new certificate. Using powershell that's really easy.

Get-ChildItem Cert:\LocalMachine\My\
list certs in system store

Nest step is to replace the certificate

netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=0665AD01D1F07AE0A2D87EE3DDE3B948B5A64142 appid="{3c0c6470-144f-4b6f-8cba-e174605bf5e2}"
replace certificate

(When doing this on powershell, be sure to put the appid parameter in quotes, otherwise the brackets will cause an issue parsing the command)

WindowsSecurityPowershell

Daniel Nachtrub

Just some guy working with computers.