Using netsh, bind an SSL certificate to a port number is failing
https://stackoverflow.com//questions/9641723
-
10-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have followed the instructions in SSL with Self Hosted WCF Service. When I am trying to bind the certificate on Windows 7 using netsh as described in How to: Configure a Port with an SSL Certificate., it is failing as follows.
In Windows PowerShell
PS C:\> netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Bad numeric constant: 224.
At line:1 char:104
+ netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={001 <<<< 12233-4455-6677-8899-AABBCCDDEEFF}
+ CategoryInfo : ParserError: (224:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : BadNumericConstant
In a command prompt
C:\>netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
SSL Certificate add failed, Error: 1312
A specified logon session does not exist. It may already have been terminated.
Solution 3
The source of the error is that I have taken the ThumbPrint directly from the certificate file of signroot.cert, which is created from the first makecert command needed for creating "Trusted Root Certification Authorities", which is used again to really create(and install) the self-sigend trusted certificate in the second makecert command.
The second makecert command also install the created certificates in the "Certificates (Local Computer) -> Personal -> Certificates node." One has to refresh the currently open MMC again to see the "localhost" certificate and the ThumbPrint need to be taken from this certificates but not from signroot.cert.
If it is still not the case, one might need to install this hotfix from M$. http://support.microsoft.com/kb/981506
OTHER TIPS
I fought with this forever to get my IIS Express to do SSL properly. It turns out my certificate was in the Trusted Root Certification Authorities store instead of the Personal Certificates store. This is what worked for me:
- Make sure your certificate is in "Certificates(Local Computer)/Personal/Certificates"
netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid='{00112233-4455-6677-8899-AABBCCDDEEFF}'- SSL Certificate successfully added
- Use MMC and drag certificate wherever you want it to go.
I have found 4 possible causes for error 1312 in my port bindings:
- The SSL cert is corrupt - you need to delete from the cert store and re-add.
- The SSL cert is lacking a private key - you need to delete from the cert store and re-add the full public/private cert, or otherwise attach the private key to your certificate.
- If installing on a pre-SP1 version of 2012R2, you may need KB 981506.
- You may have added the SSL cert to your user store, and not the local machine cert store - delete from the user store and add to the machine store.
We faced the same error and after long hours, we realized that netsh was not browsing all local machine stores to find the certificate identified by the "certhash" parameter. By default, it searches the certificate in the "personal" store and only there.
As our certificate was not in the "personal" store but in the "Trusted Root Certification Authorities" store, the problem was solved by adding the "certstorename" parameter in the netsh command:
C:\>netsh http add sslcert ipport=0.0.0.0:8732 certstorename=AuthRoot certhash=...
Another thing to be aware of is that copy/paste the certificate hash from MMC console certificate property window, may also bring a funny char at the start of the hash. You won't see it because this char is INVISIBLE in the UTF-8 encoding your text editor is likely using!
Netsh does not help as it just keeps failing with "the parameter is incorrect" without disclosing which parameter ;)
Changing the encoding to ANSI shows the char, delete it and it'll work like a charm
The key for me was to ditch using IE to do the import which is what I normally do/did.
Use mmc.exe, File->Add/Remove Snap-in and add "Certificates". Manage for Computer account and then "Local computer".
Import the root certificate into Certificates (Local Computer)/Trusted Root Certification Authorities/Certificates.
Import the client certificate into Personal/Certificates and then do the netsh http add sslcert.
I noticed the following in your question. It may not solve the original issue, but the syntax here isn't correct.
PS C:\> netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Bad numeric constant: 224.
At line:1 char:104
+ netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={001 <<<< 12233-4455-6677-8899-AABBCCDDEEFF}
+ CategoryInfo : ParserError: (224:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : BadNumericConstant
Use this instead (with appid in a single quote '{}'):
netsh http add sslcert ipport=0.0.0.0:8732 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid='{00112233-4455-6677-8899-AABBCCDDEEFF}'
Actually it has nothing to do with refresh. I have wasted so much time with the same issue. If you do a fresh install you will not run across this problem, but problem will occur if you try to:
1. Import same certificate again
2. You create a new certificate and try to bind it which has same parameters, namely the CN value.
To get rid of this problem, either delete this certificate properly from your certificate store and IIS server cache, or (for development purposes only), create a new certificate, but with a different CN value, the command will work.
"Official" (not self signed) certificates (e.g. from Thawte) are imported in the certificate store: „Trusted Root Certification Authorities“.
If no parameter "certstorename=" is passed in the netsh command, netsh takes "MY" what represents the "Private" store.
To bind an official certificate, you have to add:
certstorename=Root
to the netsh command.
