SSL Certificates Basics with netsh

Setting up certificates are an important step when you start working on different servers and require encryption. To help, we’re going to look at some easy commands with netsh to manage your certificates.

Firstly, certificates are normally bound to ports. For instance, you can have a certificate for your server for a HTTPS website, which would be bound to Port 443. You could have more certificates bound to other ports, or you can bind a certificate to multiple ports as well.

If you’re using a server with an existing certificate, you can easily reuse it, by getting its hash/fingerprint and binding it to another port you want to use. Remember, if you want to use a port, you’ll need to open it up on your Firewall settings. Also, once you’ve bound your certificate to a port, you’ll use the secured protocol to access it (i.e. https instead of http).

One more important point. If you’ve already got a certificate bound to a port, you’ll need to remove the binding before binding a different certificate.

A great way to work with certificates is to use a Windows Command Line tool called netsh.

Here’s another article explaining how to do the creation of a cert with openssl and the binding.

I’d recommend playing with netsh a little. netsh is a like a collection of applications inside one app. You can type the whole command in one line, like in the above article, or you can drill down into the applications like explained below:

To start with netsh:

  • Open your cmd as admin. Then just type in netsh. It will give you a new prompt.

C:\> netsh
netsh>

  • Type help to see possible options.

netsh> help

In our case, we want to work with Http Certificates, so type in http. It will change the prompt.

netsh> http
netsh http>

  • Again type help. There is a show option. We can use that to show our certificates. But to see what can be showed, we can just type show. It will show us we can show sslcert:

netsh http> show sslcert

  • It will show you all the certificates bound to different ports. If you’ve got an existing certificate you want to reuse, find the port that it’s currently boud to (i.e. port 443). Copy the Certificate Hash and paste it into a note somewhere.

  • Next, on that same list, look for the port you want to bind to. If that port already has a certificate, check if the certificate hash is different to the one you copied above. If the port does not show, then there’s no certificate and you don’t have to delete it.

  • Now to unbind the certificate on your port, you will use the delete sslcert command. For example, if I want to unbind port 8023 I would type:

netsh http> delete sslcert ipport=0.0.0.0:8023

  • If successful, you can now bind the other certificate using the add sslcert command all in one line (paste your own cert hash that you saved previously):

netsh http>add sslcert ipport=0.0.0.0:8023 certhash=d7bd8d21761135c12249cb1467a5caed6c6efc07 appid={00000000-0000-0000-0000-000000000000}

That’s it. Now it should use the other cert for that port.

Some errors which commonly occurs is if you get an Access Denied, or the certificate can’t be found. This happens if your certificate is saved in an inaccessible Key store. Just add the certificate again to your correct Key store and try again.