通过"netsh.exe"添加SSL证书，在计算机重新启动后不会持续生效

这个问题在 http://www.hanselman.com/blog/WorkingWithSSLAtDevelopmentTimeIsEasierWithIISExpress.aspx 的评论中被几个人提到。

最后一个评论是：

我认为将自签名证书从个人目录移动到受信任的根CA目录会导致一个问题，即开发人员重新启动计算机后SSL停止工作。（不知道它是如何发生的，但它一直在持续发生。）我最终通过导出并重新导入自签名证书到受信任的根目录（而不是简单地拖动它）解决了这个问题。现在我的自签名证书被考虑在内，我不需要每次重新安装/修复IIS Express。

# NOTE: This script MUST use Run as Administrator to work correctly.
# This script works with IIS 8.0 Express.
$currentIdentity=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$currentPrincipal=new-object System.Security.Principal.WindowsPrincipal($currentIdentity)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator

if (($currentPrincipal -eq $null) -or ($currentPrincipal.IsInRole($adminRole) -eq $false))
{
    Write-Error "This script must be run with Admnistrator privileges."
    exit
}

$iisExpressAppId = "{214124cd-d05b-4309-9af9-9caa44b2b74a}"
$iisExpressCertFriendlyName = "IIS Express Development Certificate"

# Get the current IIS Express certificate and remove it if it exists
$iisExpressCert = Get-ChildItem Cert:\LocalMachine\My | ? { $_.FriendlyName -eq $iisExpressCertFriendlyName }

if ($iisExpressCert -ne $null)
{
    Remove-Item $iisExpressCert.PSPath
}

# Create a new self-signed server certificate with a 4096-bit key
& "C:\Program Files (x86)\Windows Kits\8.1\bin\x86\makecert.exe" -r -pe -n "CN=localhost" -m 60 -ss My -sr LocalMachine -sky Exchange -eku 1.3.6.1.5.5.7.3.1 -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a sha512 -len 4096

# Get the newly generated server certificate
$iisExpressCert = Get-ChildItem Cert:\LocalMachine\My | ? { $_.Subject -eq "CN=localhost" -and [DateTime]::Parse($_.GetEffectiveDateString()).Date -eq [DateTime]::Today }

if ($iisExpressCert -ne $null)
{
    # Change the friendly name of the new certificate.
    $iisExpressCert.FriendlyName = $iisExpressCertFriendlyName

    # Iterate through the IIS Express ports removing the old certificate
    # and adding the new one.
    44300..44399 | foreach {
        & "C:\Windows\System32\netsh.exe" http delete sslcert ipport=0.0.0.0:$($_)
        & "C:\Windows\System32\netsh.exe" http add sslcert ipport=0.0.0.0:$($_) certhash=$($iisExpressCert.Thumbprint) appid=$($iisExpressAppId)
    }
}

<# Remove comment tags only if you intend to trust the self-signed cert.
# Adds the Public Certificate to the Trusted Root Certification Authorities.
$iisExpressPublicCert = Get-ChildItem Cert:\LocalMachine\AuthRoot | ? { $_.FriendlyName -eq $iisExpressCertFriendlyName }

if ($iisExpressPublicCert -ne $null)
{
    Remove-Item $iisExpressPublicCert.PSPath
}

$iisExpressPublicCert = New-Object "System.Security.Cryptography.X509Certificates.X509Certificate2" @(,$iisExpressCert.Export("Cert"))
$iisExpressPublicCert.FriendlyName = $iisExpressCertFriendlyName

$trustedCertStore = Get-Item Cert:\LocalMachine\AuthRoot
$trustedCertStore.Open("ReadWrite")
$trustedCertStore.Add($iisExpressPublicCert)
$trustedCertStore.Close()
#>

一些注释。

首先，您可以使用以下命令而不使用MMC来获取IIS Express指纹：

powershell -command "& {get-childitem -path cert:\localmachine\my | where-object {$.FriendlyName -match 'IIS Express Development Certificate'} | % { $.Thumbprint}}"

如http://msdn.microsoft.com/en-us/library/ms733791.aspx所述，您在netsh命令中使用指纹。 您可以使用上述powershell技术为您特定的IIS Express安装构建正确的netsh命令。

让我们将上述命令添加到输出端口443的正确netsh命令：

powershell -command "& {get-childitem -path cert:\localmachine\my | where-object {$.FriendlyName -match 'IIS Express Development Certificate'} | % { 'netsh http add sslcert ipport=0.0.0.0:443 appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash='+$.Thumbprint}}"

这将显示完整的 netsh 命令，您可以复制/粘贴并自行调用它。您还可以在上述命令中添加 **| cmd.exe** 以自动调用它。让我们这样做。以下是准备好供您复制/粘贴到管理员命令提示符中的上述 PowerShell 命令，以将本地 443 端口绑定到本地 IIS Express 证书：

powershell -command "& {get-childitem -path cert:\localmachine\my | where-object {$_.FriendlyName -match 'IIS Express Development Certificate'} | % { 'netsh http add sslcert ipport=0.0.0.0:443 appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash='+$_.Thumbprint}}" | cmd.exe