Managing Server Certificates Programmatically in IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

You can use scripts in conjunction with IISCertObj, a Component Object Model (COM) object, to manage certificates remotely and programmatically. You can use IISCertObj to perform the following tasks:

  • Import copies of a certificate from a .pfx file (a file containing a PFX-encrypted certificate and a private key) from a server onto multiple servers.

  • Save backup copies of certificates on a central site.

  • Copy a certificate from one server onto multiple servers.

To learn about obtaining SSL server certificates, see Obtaining Server Certificates.

Sample Scripts

After acquiring an SSL server certificate from a certification authority, distributing copies to all of the servers requires one or more of the following steps:

  • Import copies of master certificates onto multiple servers.

  • Save backup copies of certificates in a central archive.

  • Export certificates across multiple servers.

In IIS, if you use Windows Script Host (WSH) or Active Server Pages (ASP), you can execute scripts that communicate with IISCertObj programmatically to import, archive, or export certificates.

Import Certificates to Multiple Servers (CertImport.vbs)

Large sites often need to use one SSL certificate for secure user logon to multiple servers. It would be very time-consuming to use the MMC to add copies of the certificate to each server. What you need is a scripted solution that installs copies of the same certificate to all of the targeted servers.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).

Save the following script as CertImport.vbs. Modify the command-line statement arguments to match your network resources. Then use the command-line statement to import a certificate from a certificate store on one server to other servers.

Option Explicit
Dim iiscertobj, pfxfile, pfxfilepassword, InstanceName, WebFarmServers, IISServer
Set iiscertobj = WScript.CreateObject("IIS.CertObj")
pfxfile = WScript.Arguments(0)
pfxfilepassword = WScript.Arguments(1)
InstanceName = WScript.Arguments(2)
WebFarmServers = split(WScript.Arguments(3), ",")
iiscertobj.UserName = WScript.Arguments(4)
iiscertobj.UserPassword = WScript.Arguments(5)
For Each IISServer in WebFarmServers
  iiscertobj.ServerName = IISServer
  iiscertobj.InstanceName = InstanceName
  iiscertobj.Import pfxfile, pfxfilepassword, true, true
Next

Command-line statement:

Certimport.vbs cert.pfx pfxpassword w3svc/1 iisserver1,iisserver2,iisserver3 Administrator aal34290

Save Certificates in a Central Archive (Save_all_certs.vbs)

Using the IISCertObj export method, you can archive a backup of each certificate on your server farm to a central site.

Save the following script as Save_all_certs.vbs in your text editor. Modify the command-line statement arguments to match your network resources. Then use the command-line statement to export copies of certificates to the central site.

Option Explicit
Dim iiscertobj, targetServer, targetServers, pfxbasename, pfxpassword, InstanceName
Set iiscertobj = WScript.CreateObject("IIS.CertObj")
pfxbasename = WScript.Arguments(0)
pfxpassword = WScript.Arguments(1)
InstanceName = WScript.Arguments(2)
targetServers = split(WScript.Arguments(3), ",")
iiscertobj.UserName = WScript.Arguments(4)
iiscertobj.UserPassword = WScript.Arguments(5)
iiscertobj.InstanceName = InstanceName
For Each targetServer in targetServers
  iiscertobj.ServerName = targetServer
  iiscertobj.Export pfxbasename + targetServer + ".pfx", pfxpassword, true, false, false
Next

Command-line statement:

Save_all_certs.vbs C:\certbackup\ adsf-0324 w3svc/1 iisserver2,iisserver3,iisserver4 Administrator aal34290

Copy a Certificate from an Existing Server to a New Server (CertCopy.vbs)

With the script and command-line statement below you can use the copy method of IISCertObj to copy a certificate to a new server after you add the server to a server farm.

Save the script below as certcopy.vbs. Modify the command-line statement arguments to match your network resources. Then run the command-line statement.

Option Explicit
Dim iiscertobj, targetServer, targetServers, targetInstance
Set iiscertobj = WScript.CreateObject("IIS.CertObj")
iiscertobj.ServerName = WScript.Arguments(0)
iiscertobj.Instancename = WScript.Arguments(1)
targetServers = split(WScript.Arguments(2), ",")
targetInstance = WScript.Arguments(3)
iiscertobj.UserName = WScript.Arguments(4)
iiscertobj.UserPassword = WScript.Arguments(5)
For Each targetServer in targetServers
  iiscertobj.Copy true, true, targetServer, targetInstance
Next

Command-line statement:

Certcopy.vbs iisServer1 w3svc/1 iisServer2 w3svc/1 Administrator asdf-0324