Install and manage IIS with SSL using PowerShell

Using PowerShell, you can quickly install, manage, and configure Windows Server Internet Information Server (IIS), including the role service, bindings, and application pools.

PowerShell makes managing roles and role services extremely easy from an automation and efficiency standpoint. It also helps take out the human error factor when configuring roles and services consistently across a number of Windows Servers.

One of the role services that has long been used with Windows Server is IIS. IIS has been around since Windows NT 4.0. However, it has received many improvements and enhancements along the way all the way up to Windows Server 2019.

Let's take a look at how we can install and manage IIS with PowerShell, including installing the role service, configuring SSL, managing bindings, and managing IIS application pools.

Installing IIS using PowerShell ^

Before you can configure or manage a Windows Server role, you have to get the role installed to begin with. Let's take a look at how we can do this using PowerShell in Windows Server. PowerShell contains myriads of intuitive cmdlets that let you perform the normal GUI-driven operations from the command line. You can easily install roles and features in Windows Server with the Install-WindowsFeature cmdlet. Let's see how easy it is to install the IIS role using this cmdlet.

Use the Install-WindowsFeature cmdlet to install the IIS role listed as Web-Server in Windows Features. The IncludeAllSubFeature and IncludeManagementTools directives install the subfeatures for the role as well as the management tools needed to manage IIS.

  • Install-WindowsFeature -name "Web-Server" -IncludeAllSubFeature ‑IncludeManagementTools
Using Install WindowsFeature to install IIS with PowerShell

Using Install WindowsFeature to install IIS with PowerShell

When installing IIS with the IncludeAllSubFeature option, you need to make sure you have satisfied all the prerequisites, like installing .NET 3.5. In Windows Server 2019, you may see an error such as the following when installing IIS without having the .NET 3.5 feature enabled.

Error message installing IIS with subfeatures without .NET 3.5 installed

Error message installing IIS with subfeatures without .NET 3.5 installed

You can easily install the feature with the DISM command as well as with local Windows Server installation media mounted.

Managing IIS SSL and binding with PowerShell ^

Managing SSL certificates and bindings with PowerShell go hand in hand. The SSL certificate creates the secure channel for encrypted communication with IIS. The bindings dictate which ports and SSL certificates to use when configuring IIS to listen on a particular port for a specific website.

Let's take a look at useful PowerShell cmdlets for interacting with IIS SSL configuration and bindings.

Managing IIS bindings

The first thing you may want to do is take a look at the existing websites and bindings present for those websites. We can use the Get-WebSite cmdlet to view existing IIS websites. With this cmdlet, you see useful information such as the state of the site, physical path, and bindings.

Viewing IIS websites and bindings with PowerShell

Viewing IIS websites and bindings with PowerShell

If you want to take a closer look at bindings in particular, you can use the Get-WebBinding cmdlet to view specifics about the bindings in IIS. This cmdlet also shows sslFlags set for each website to quickly view which IIS sites are SSL enabled.

Getting IIS binding information with PowerShell

Getting IIS binding information with PowerShell

Creating a self-signed certificate to use with IIS ^

You can generate self-signed SSL certificates using PowerShell. In legacy versions of Windows, you had to use a utility like the IIS 6 resource kit tools to generate self-signed certificates. However, now with modern versions of Windows Servers, New-SelfSignedCertificate comes in handy.

The cmdlet below will generate a new self-signed certificate for the fully qualified domain name (FQDN) you specify with a 2048 key length. Create and place it in the Personal store of the computer certificates. With the (Get-Date).AddYears snippet, you can choose to create the self-signed certificate for the specified length of time.

Generating a new self signed certificate with PowerShell

Generating a new self signed certificate with PowerShell

How do you bind this certificate to a website in IIS? To bind port 443 and the HTTPS protocol to the Default Web Site, you can use the following PowerShell cmdlet:

Using the functionality of the WebAdministration PowerShell module, we can properly interact with the HTTP.SYS as documented by Microsoft here. SSL settings get stored in the HTTP.SYS configuration store. To associate the certificate with a particular website, we have to use the certificate hash.

Viewing SSL bindings associated with each IIS site

Viewing SSL bindings associated with each IIS site

Now you can use the certificate hash generated using the New-SelfSignedCertificate cmdlet earlier. Note the error below when using the new-item cmdlet. This indicates there is already a certificate bound. If you have no certificate already, use new-item; however, if you want to change the existing bound certificate, use the set-item cmdlet. This changes the certificate from the currently set SSL cert to the new certificate.

Setting a certificate for the HTTPS binding on an IIS website using PowerShell

After assigning the new SSL certificate to the IIS website, you can open the IIS Management console (inetmgr.exe) to verify the cmdlet set the SSL certificate correctly. We can see the SSL certificate is the newly generated self-signed certificate and the port is properly configured to 443.

Verifying the certificate assigned and the port configured for an IIS website

Verifying the certificate assigned and the port configured for an IIS website

Managing IIS application pools ^

The application pool is a modern IIS design construct that helps separate resources and worker processes in IIS between web applications. This is a much better design that helps isolate web applications for stability and security purposes; in this way, web applications have good separation from one another. If one web application has a memory leak or becomes unstable, this will not impact the other web applications by running in separate application pools.

The New-WebAppPool cmdlet in PowerShell lets you create a new application pool.

Creating a new IIS application pool with PowerShell

Creating a new IIS application pool with PowerShell

You can use PowerShell to view all the available application pools, including the newly created application pool with the Get-IISAppPool cmdlet.

Viewing the IIS application pools with PowerShell

Viewing the IIS application pools with PowerShell

You can also recycle an application pool with the following cmdlet. By recycling an app pool, the ISI worker process that handles requests for a particular application pool is terminated and a new one is started. This can be useful if a web application becomes unstable. Additionally, it is good to recycle app pools periodically.

Recycling an application pool with PowerShell

Recycling an application pool with PowerShell

Wrapping up ^

PowerShell automation is a great way to install, control, configure, and manage Windows IIS. As shown, you can script many aspects of IIS, including installing the server role and subfeatures as well as the management tools. Configuring the bindings and SSL certificate settings are also possible with PowerShell in addition to quickly creating self-signed certificates for testing. Finally, you can effectively manage Windows Server IIS application pools, including creating, listing, and recycling these as needed, all using PowerShell.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

3+
avataravatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account