Fast2Host Logo

SSL Certificates

Replace wildcard SSL on multiple sites bound to same IP

Replace wildcard SSL on multiple sites bound to same IP

The context of the answer is that IIS 7 doesn't actually care about the certificate binding. IIS 7 only ties websites to one or more sockets. Each socket being a combination of IP + port. Source: IIS7 add certificate to site from command line

So, what we want to do is do certificate re-binding on the OS layer. The OS layer takes control of the SSL part, so you use netsh to associate a certificate with a particular socket. This is done through netsh using netsh http add sslcert.

When we bind a (new) certificate to a socket (ip + port), all sites using that socket will use the new certificate.

The command to bind a certificate to a socket is: netsh http add sslcert ipport= certhash=1234567890123456789012345678901234567890 appid={12345678-1234-1234-1234-999999999999}

How to

This part explains how to proceed step-by-step. It assumes you have some websites (, running a * certificate that is about to expire. You already have a new certificate that you already installed on the server but not yet applied to the websites on IIS.

First, we need to find out 2 things. The new certhash and the appid.

  • certhash Specifies the SHA hash of the certificate. This hash is 20 bytes long and specified as a hexadecimal string.
  • appid Specifies the GUID to identify the owning application, which is IIS itself.

Find the certhash

Execute the certutil command to get all certificates on the machine:

certutil -store My

I need not all information so I do:

certutil -store My | findstr /R "sha1 ===="

Among the output is:

================ Certificate 5 ================
Subject: CN=*, OU=PositiveSSL Wildcard, OU=Domain Control Validated
Cert Hash(sha1): 12 34 56 78 90 12 34 56 78 90 12 34 56 78 90 12 34 56 78 90

1234567890123456789012345678901234567890 is the certhash we were looking for. it's the Cert Hash(sha1) without the spaces.

Find the appid

Let's start of by looking at all certificate-socket bindings:

netsh http show sslcert

Or one socket in particular

netsh http show sslcert ipport=


SSL Certificate bindings:
IP:port :
Certificate Hash : 1234567890123456789012345678901234567890
Application ID : {12345678-1234-1234-1234-123456789012}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled

{12345678-1234-1234-1234-123456789012} is the appid we were looking for. It's the Application ID of IIS itself

bind a (new) certificate to a socket

Open a command prompt and run it as a administrator. If you don't run it as administrator, you'll get an error like: "The requested operation requires elevation (Run as administrator)."

First remove the current certificate-socket binding using this command

netsh http delete sslcert ipport=

You should get:

SSL Certificate successfully deleted

Then use this command (found here) to add the new certificate-socket binding:

netsh http add sslcert ipport= certhash=1234567890123456789012345678901234567890 appid={12345678-1234-1234-1234-123456789012}

(use the certhash and appid that you found earlier)

SSL Certificate successfully added

DONE. You just replaced the certificate of all websites that are bound to this IP + port (socket).

Maintain peace of mind with UK based support

Email any time or call 01480 26 00 00 014 80 26 00 00