设置服务器名称指示(SNI)取消证书绑定

时间:2015-05-29 17:49:45

标签: c# wix iis-8.5

我正在使用Microsoft.Web.Administration(在Wix CustomAction中)配置服务器名称指示并绑定到IIS 8.5站点上的现有服务器证书。

事实证明,设置SNI会取消证书绑定。以下代码将使事情变得更加清晰:

using Microsoft.Web.Administration;

var binding = site.Bindings.FirstOrDefault(x => x.IsIPPortHostBinding && x.Host == sitename);

binding.CertificateHash = certificate.GetCertHash();
binding.CertificateStoreName = store.Name;

// this statement is causing the certificate info to get messed up.
binding["sslFlags"] = 1; // or binding.SetAttributeValue("sslFlags", 1);

结果:

binding["sslFlags"] = 1; enter image description here

没有 binding["sslFlags"] = 1; enter image description here

这是一个错误还是我错过了什么?如何才能使SNI和证书绑定一致?

3 个答案:

答案 0 :(得分:2)

似乎Microsoft.Web.Administration v7.0是罪魁祸首。这是NuGet图库中的官方版本,它似乎主要用于IIS 7(我的意思是它适用于IIS 7和8中常见的功能,但7没有的任何内容都会产生如上所述的奇怪结果)。

使用IIS.Microsoft.Web.Adminstration(似乎是IIS 8.5的社区上传包)可行。得到了这个answer的提示。

更新代码:

binding.CertificateHash = certificate.GetCertHash();
binding.CertificateStoreName = store.Name;

binding.SslFlags = SslFlags.Sni;  // <<< notice it has helpful enums

答案 1 :(得分:1)

这适用于我Microsoft.Web.Administration 7.0.0.0

public static void CreateSiteHttps(string siteName, string physicalPath)
{
    using (var serverManager = new ServerManager())
    {
        var applicationPool = serverManager.ApplicationPools.Add(siteName);
        applicationPool["startMode"] = "AlwaysRunning";

        var x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        x509Store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);

        var certificate = x509Store.Certificates.Find(X509FindType.FindBySubjectName, "MyCertSubjectName", false)[0];

        var hash = certificate.GetCertHash();

        var site = serverManager.Sites.Add(siteName, $"*:443:{siteName}", physicalPath, hash);
        site.ServerAutoStart = true;
        site.Bindings[0]["sslFlags"] = 1;
        site.ApplicationDefaults.ApplicationPoolName = applicationPool.Name;
        site.ApplicationDefaults.EnabledProtocols = "http,https";

        serverManager.CommitChanges();
    }
}

答案 2 :(得分:0)

启用SNI时将删除证书。您可以先获取证书,然后再启用SNI,然后再进行设置:

[global]
trusted-host = pypi.org
               files.pythonhosted.org