Post-change Validation
Always verify from client perspective, not just IIS Manager UI.
Lab: Configure SSL and HTTPS on IIS
Import cert, bind HTTPS, validate netsh binding, enforce redirect and HSTS.
🧒 Simple Explanation (ELI5)
Put a lock on your site door and make everyone use that lock.
🔧 Why Do We Need It?
- Protect credentials and tokens.
- Meet compliance requirements.
- Avoid browser trust warnings.
- Prevent downgrade attacks.
🌍 Real-world Analogy
Switching from postcard mail to sealed registered mail with identity verification.
⚙️ Technical Explanation
IIS HTTPS requires cert in LocalMachine\My with private key plus site binding and HTTP.sys sslcert mapping. Add HTTP→HTTPS redirect and HSTS header for strict transport.
📊 Visual Representation
HTTPS Setup
Import Cert
PFX in LocalMachine\My
Bind
*:443:hostname
Verify
netsh + curl
Enforce
301 + HSTS
⌨️ Commands / Syntax
PowerShell/cmd
$pass = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force Import-PfxCertificate -FilePath C:\certs\site.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $pass appcmd set site /site.name:"myapp" /+bindings.[protocol='https',bindingInformation='*:443:myapp.local'] netsh http show sslcert # test curl -vk https://myapp.local
💼 Example (Real-world Use Case)
Renewal runbook updates 20 SNI bindings and validates each host with scripted curl checks.
🧪 Hands-on
- Create/import test cert.
- Add HTTPS binding for test host.
- Verify cert thumbprint in netsh output.
- Add HTTP redirect rule.
- Add HSTS and re-test.
💡
🐛 Debugging Scenario
Failure: Browser still shows old cert.
- Check netsh sslcert thumbprint.
- Remove stale binding and re-add.
- Confirm SNI host is correct.
- Check intermediate cert chain.
- Retest with curl -v.
🎯 Interview Questions
Beginner
Where must IIS cert live?
LocalMachine\My with private key.
Why HSTS?
Forces future HTTPS and blocks protocol downgrade.
What is SNI?
TLS extension to host multiple certs on one IP:443.
What is cert thumbprint used for?
Unique identifier for ssl binding mapping.
What does cert chain mean?
Server cert + intermediates + trusted root path.
Intermediate
How to automate renewals on Windows?
Use win-acme scheduled renewals and post-check scripts.
Why can UI show new cert while clients see old?
Stale HTTP.sys sslcert binding still points to old thumbprint.
How to test protocol/cipher quickly?
Use SSL Labs plus local schannel/curl checks.
When use wildcard vs SAN cert?
Wildcard for many subdomains; SAN for explicit host list including root.
How to avoid redirect loops?
Condition redirect only when HTTPS is off.
Scenario-based
Cert valid but warning persists.
Check hostname mismatch or missing intermediate cert.
Multiple sites wrong cert after migration.
Review SNI bindings and hostname-specific sslcert mappings.
TLS 1.0 disabled broke legacy client.
Use temporary isolated compatibility endpoint and upgrade plan.
How to verify each host in batch?
Script curl/Invoke-WebRequest per hostname and parse cert dates.
HSTS rollout risk?
Ensure all subdomains support HTTPS before includeSubDomains/preload.
🌐 Real-world Usage
This is a recurring monthly/quarterly operational activity in every IIS estate.
📝 Summary
Correct HTTPS on IIS means cert import, binding correctness, validation, and strict transport enforcement.