Dan
Posts: 4513
Joined: Wed Apr 24, 2013 3:51 pm

Bind SSL Certificate for website on upgrade without asking the certificate

Thu Feb 20, 2020 3:32 pm

Hello,

There are cases when you install WebApps where the user is asked to select a SSL certificate during installation. The related certificate being used by the IIS elements.

Although Advanced Installer has predefined support for this, in case you also want to preserve the SSL certificate the the website during an upgrade, this is not possible. Using the predefined support you would have to always ask the user for the SSL certificate.

In order to avoid asking the user for the certificate you can implement a custom action that during a first time install will configure the website with the selected certificate by the user.
On upgrade, there will be another custom action that will get the certificate that was assigned for the website and use it when installing the upgraded package.

During an upgrade, the website installed by the old version will be removed and reinstalled by the new version.



1) Create the dialog where the user will have to enter the IIS elements:

SSL Dialog.PNG
SSL Dialog.PNG (49.04KiB)Viewed 152622 times

To allow the user to select the SSL certificate during installation, please take a look on the How to select an external file during the installation article.




2) Create the IIS Website in IIS page. The webste name can be configured during installation.

IIS view.PNG
IIS view.PNG (27.8KiB)Viewed 152622 times

No other change was made for the website, the default values were keept.




3) Add the custom action that will configure the website for the first time install

For this, I've used the predefined Execute inline powershell script, configured as follow:

FirstTimeInstallCA.PNG
FirstTimeInstallCA.PNG (140.85KiB)Viewed 152622 times

and has the following code:

Code: Select all

# Block for declaring the script parameters.
Param($siteName, $certPath, $CertificatePassword)

# Your code goes here.

#convert pass to secure
$sSecStrPassword = ConvertTo-SecureString -String $CertificatePassword -Force –AsPlainText

$certThumbprint =  (Import-PfxCertificate -FilePath $certPath -Password $sSecStrPassword -CertStoreLocation Cert:\LocalMachine\My).Thumbprint


# Create HTTPS binding
New-WebBinding -name "$siteName" -Protocol "https" -HostHeader "www.DemoWebsiteSSL.com" -Port 445 -SslFlags 1

# Attach certificate to HTTPS binding
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport="www.DemoWebsiteSSL.com:445" certhash="$certThumbprint" certstorename=My appid="$guid"



4.1) During an upgrade, you need to get the Thumbprint of the certificate that was used for the website:

GetThumbprintOnUpgradeCA.PNG
GetThumbprintOnUpgradeCA.PNG (126.27KiB)Viewed 152622 times

with the following code:

Code: Select all

# Block for declaring the script parameters.
Param()

# Your code goes here.


# on upgrade, get certHash since cert is already installed
$websiteName = AI_GetMsiProperty WEBSITE_NAME


# on upgrade, get certHash since cert is already installed
$certThumbprint  = (Get-WebBinding -Name "$websiteName" | ? { $_.Protocol -eq "https" }).certificateHash

AI_SetMsiProperty CERT_THUMBPRINT $certThumbprint




4.2) Add a custom action that will bind the certificate to the upgraded website:

ConfigureBindingsOnUpgrade.PNG
ConfigureBindingsOnUpgrade.PNG (120.87KiB)Viewed 152622 times

that has the following code:

Code: Select all

# Block for declaring the script parameters.
Param($certThumbprint, $siteName)

# Your code goes here.

# Create HTTPS binding
New-WebBinding -name "$siteName" -Protocol "https" -HostHeader "www.DemoWebsiteSSL.com" -Port 445 -SslFlags 1

# Attach certificate to HTTPS binding
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport="www.DemoWebsiteSSL.com:445" certhash="$certThumbprint" certstorename=My appid="$guid"



5) The action that configures the IIS elements runs the latest in the install sequence, so you need to go in the Table Editor and make sure the powershell custom actions are running after it:

ChangeInstallExecuteSequence.PNG
ChangeInstallExecuteSequence.PNG (62.16KiB)Viewed 152622 times

Since the user will not need to select the certificate on upgrade, the dialog can be hidden with a show only if event, the condition is NOT OLDPRODUCTS


Cond show dlg.PNG
Cond show dlg.PNG (92.75KiB)Viewed 152622 times


6) Since any operation on IIS requires admin privileges, you will have to enable the run as admin option in the Install Parameters.

RunAs Admin.PNG
RunAs Admin.PNG (1.71KiB)Viewed 152622 times

If this option is not selected, the custom aciton that will retrieve the Thumbprint of the certificate that was used during the first time installation will fail.



7) Also, the property that is attached for the website needs to be persistent:

Persistent property.PNG
Persistent property.PNG (26.26KiB)Viewed 152622 times

I've attached a sample project that has all the above configured, so you are more than welcome to download the zip file. Also, I've attached a test SSL certificate (password is caphyon).

Another solution for this problem is presented in the Prevent IIS elements from being removed during upgrade where the IIS elements are prevented from being removed by condioning the execution of the actions that handles IIS elements.

Looking forward to hearing from you.

Best regards,
Dan
Attachments
IIS - Keep SSL certificate during upgrade.zip
(9.03KiB)Downloaded 1780 times
Dan Ghiorghita - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Sample Projects”