Need help with command line binding of certificate to FTPS site

mushu · September 29, 2020, 3:42pm

IIS on Windows Server 2019

In the IIS Manager, select the FTP site, then click the icon for "FTP SSL Settings". Here you can select the available WebHosting store SSL Certificate using the dropdown. I need to be able to do that in a batch file at the command line. Note, not using PowerShell.

The following commands work fine for the "website" itself which has a domain name. But I need to bind the FTP site on port 21 to a certificate also and it doesn't have a domain itself. "blahblah" are different hashes, just saving space, and domain.com is in place of the real domain.

certutil -delstore "WebHosting" "*.domain.com"
certutil -f -p "password" -importpfx "WebHosting" "WEB.pfx"
certutil -repairstore "WebHosting" "www.domain.com" "change-friendly-name.inf"

netsh http add sslcert certstorename=WebHosting hostnameport=www.domain.com:443 certhash=blahblah appid=blahblah

\windows\system32\inetsrv\appcmd set site /site.name:"WEBweb" /+bindings.[protocol='https',bindingInformation='*:443:www.domain.com']

\windows\system32\inetsrv\appcmd renew binding /oldcert:blahblah /newcert:blahblah

So I tried this:

\windows\system32\inetsrv\appcmd set site /site.name:"WEBftp" /+bindings.[protocol='ftp',bindingInformation='*:21:']

But it doesn't seem to work.
Am I perhaps using the wrong commands since I've been trying different things for so long I've confused myself? Is there a way to select and bind a cert to a site that doesn't have a domain name?
I'm sure the secret lies in one of these commands:

netsh
certutil
appcmd

griffin · September 29, 2020, 5:36pm

Let's Encrypt currently only certifies domain names. If you can create a CNAME from ftp.domain.com to domain.com in your DNS then certify ftp.domain.com, you might be in business.

schoen · October 1, 2020, 9:51am

Also, although Let's Encrypt requires you to use certain port numbers for some methods of proving your control over a domain name, the resulting certificate is not bound to any particular port or protocol, and can be used on any TLS port, protocol, or service. For example, you can use the same Let's Encrypt certificate to secure HTTPS, IMAPS, various forms of secure SMTP, and probably FTPS. The certificate is only valid when the client is accessing the server using a domain name listed in the certificate, but it does not have to be accessed on a specific port number, and definitely not only via HTTPS.

mushu · October 15, 2020, 1:35pm

Thanks for the info. I didn't explain my problem properly so let me try to summarize it.

I'm trying to automate the manual process of going into the IIS management console, selecting my FTP site, selecting the "bindings..." option, and finally selecting the existing certificate from the dropdown. I keep calling that "binding a certificate to a site" but I guess that's confusing.

I am able to do it through a batch file for the website, I just can't seem to make it work for the FTP site.

rg305 · October 15, 2020, 2:59pm

I would look for a solution in PowerShell.
[If it can be done manually, it can be automated with PowerShell]

rmbolger · October 15, 2020, 4:42pm

Did someone say PowerShell?

To be honest, I haven't used the IIS native FTP server much. But from what I can tell, this is all you need to update the cert assuming it's already in the same cert store as the previous one.

Import-Module WebAdministration
$siteName = 'WEBftp'
$configItem = 'ftpServer.security.ssl.serverCertHash'
$thumb = '{new cert thumbprint}'
Set-ItemProperty "IIS:\Sites\$siteName" -Name $configItem -Value $thumb