Need help with command line binding of certificate to FTPS site

IIS on Windows Server 2019

In the IIS Manager, select the FTP site, then click the icon for "FTP SSL Settings". Here you can select the available WebHosting store SSL Certificate using the dropdown. I need to be able to do that in a batch file at the command line. Note, not using PowerShell.

The following commands work fine for the "website" itself which has a domain name. But I need to bind the FTP site on port 21 to a certificate also and it doesn't have a domain itself. "blahblah" are different hashes, just saving space, and domain.com is in place of the real domain.

certutil -delstore "WebHosting" "*.domain.com"
certutil -f -p "password" -importpfx "WebHosting" "WEB.pfx"
certutil -repairstore "WebHosting" "www.domain.com" "change-friendly-name.inf"

netsh http add sslcert certstorename=WebHosting hostnameport=www.domain.com:443 certhash=blahblah appid=blahblah

\windows\system32\inetsrv\appcmd set site /site.name:"WEBweb" /+bindings.[protocol='https',bindingInformation='*:443:www.domain.com']

\windows\system32\inetsrv\appcmd renew binding /oldcert:blahblah /newcert:blahblah

So I tried this:

\windows\system32\inetsrv\appcmd set site /site.name:"WEBftp" /+bindings.[protocol='ftp',bindingInformation='*:21:']

But it doesn't seem to work.
Am I perhaps using the wrong commands since I've been trying different things for so long I've confused myself? Is there a way to select and bind a cert to a site that doesn't have a domain name?
I'm sure the secret lies in one of these commands:

netsh
certutil
appcmd
1 Like

Let's Encrypt currently only certifies domain names. If you can create a CNAME from ftp.domain.com to domain.com in your DNS then certify ftp.domain.com, you might be in business.

Also, although Let's Encrypt requires you to use certain port numbers for some methods of proving your control over a domain name, the resulting certificate is not bound to any particular port or protocol, and can be used on any TLS port, protocol, or service. For example, you can use the same Let's Encrypt certificate to secure HTTPS, IMAPS, various forms of secure SMTP, and probably FTPS. :slight_smile: The certificate is only valid when the client is accessing the server using a domain name listed in the certificate, but it does not have to be accessed on a specific port number, and definitely not only via HTTPS.

3 Likes

Thanks for the info. I didn't explain my problem properly so let me try to summarize it.

I'm trying to automate the manual process of going into the IIS management console, selecting my FTP site, selecting the "bindings..." option, and finally selecting the existing certificate from the dropdown. I keep calling that "binding a certificate to a site" but I guess that's confusing.

I am able to do it through a batch file for the website, I just can't seem to make it work for the FTP site.

I would look for a solution in PowerShell.
[If it can be done manually, it can be automated with PowerShell]

Did someone say PowerShell? :partying_face:

To be honest, I haven't used the IIS native FTP server much. But from what I can tell, this is all you need to update the cert assuming it's already in the same cert store as the previous one.

Import-Module WebAdministration
$siteName = 'WEBftp'
$configItem = 'ftpServer.security.ssl.serverCertHash'
$thumb = '{new cert thumbprint}'
Set-ItemProperty "IIS:\Sites\$siteName" -Name $configItem -Value $thumb
1 Like