Replace tls cert using commandline (netsh)

Daniel Nachtrub -

Many applications are using http.sys or similar to terminate http traffic on windows. Examples for this applications are Microsoft Exchange, Windows Admin Center, IIS, Remotedesktopgateway and so on. When doing this, tls certificates can be managed using netsh http.

Most applications offer comprehensive ways to replace a certificate. In case it's not accessible easy, you can directly replace the binding on the command line.

Show bindings

To get a list of currently known HTTP TLS bindings, use netsh http show sslcert.

netsh http show sslcert

SSL-Zertifikatbindungen:
-------------------------
IP:Port                      : 0.0.0.0:443
Zertifikathash              : 0665ad01d1f07ae0a2d87ee3dde3b948b5a64142
Anwendungs-ID               : {3c0c6470-144f-4b6f-8cba-e174605bf5e2}
Zertifikatspeichername       : (null)
Clientzertifikatsperre überprüfen : Enabled
Zur Sperrüberprüfung ausschließlich zwischengespeichertes Clientzertifikat verwenden : Disabled
Verwendungsüberprüfung                  : Enabled
...
current bindings

Change certificate

In order to change a certificate you remove the old binding and add a new one.

Before replacing the certificate, we need to retrieve the thumbprint of the new certificate. Using powershell that's really easy.

Get-ChildItem Cert:\LocalMachine\My\
list certs in system store

Nest step is to replace the certificate

netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=0665AD01D1F07AE0A2D87EE3DDE3B948B5A64142 appid="{3c0c6470-144f-4b6f-8cba-e174605bf5e2}"
replace certificate

(When doing this on powershell, be sure to put the appid parameter in quotes, otherwise the brackets will cause an issue parsing the command)