Is there any way to set Friendly Name while exporting to ExportPkcs12?

[AnderssonPeter]

I have tried to use Update-ACMECertificate and set Label and Memo but after using Get-ACMECertificate they are still empty (it seems Update-ACMECertificate has no effect).

So is there any way to set Friendly Name while exporting to ExportPkcs12? (The reason for this is that i want to use the same cert for multiple domains in IIS and that requires the name to start with a *).

[ebekker]

I'm afraid there's no built in support at this time. I'll mark this as an enhancement request to research.

[bseddon]

You can accomplish this using PowerShell. The following command will do it:

get-childitem "cert:$certPath" | Where-Object { $_.Subject -eq "CN=$domain" } | ForEach-Object { $_.FriendlyName = $friendlyname }

Where:

$certPath is the path to the certificate folder you are using such as \LocalMachine\WebHosting
$domain is the domain of the certificate generated
$friendlyname is the name you want to add

The limitations of this command example is that if you have two certificates with the same CN they will be given the same friendly name. To improve this you can use a more precise filter in the 'where-object' filter.

[AnderssonPeter]

Thanks @bseddon this seems like a good solution ill try it later!

[bseddon]

Hope it works for you. I took it from a script I created to automate the whole process so I'm able to run create and renew certificates using a scheduled task. You may find other snippets useful. It's here.

[AnderssonPeter]

@bseddon Just one question if I renew a cert with your script and its mapped in IIS (to multiple sites) will IIS pick up the new cert automatically?

[bseddon]

@Petoj87 It does appear to do so for me. Once the map has been set in IIS, the assigned certificate seems to be used even after it's been updated in the underlying store. But let me know your experience.

Updating the binding should be possible using PowerShell. Here's how a new binding is added or updated:

get-item cert:\LocalMachine\WebHosting | new-item 0.0.0.0!443

This will get assign the certificate with a given thumbprint to the SSL binding of the default site.

[AnderssonPeter]

@bseddon found Switch-Certificate do you have any idea what its used for?
The description just says Marks one certificate as having been replaced by another certificate., the questions is will applications like IIS use the new cert? (this way maybe you don't have to delete history?) (I have no idea if you do delete the old cert)

[bseddon]

I believe this command has a different purpose and I don't believe this a command that will switch the certificate used by IIS. Securing web communications using SSL is only one purpose for for a certificate and there are many others.

Suppose you have distributed an application that relies on using a specific certificate for authentication but that certificate changes for some reason (other than expiry). Perhaps the company was bought out and wants to change the domains listed in the certificate.

Anyway, this command allows a field in the original certificate to point to its replacement so the distributed application does not need to be replaced.

[AnderssonPeter]

@bseddon Thanks for Clarifying.

[bseddon]

@Petoj87 I've updated the script to support alternative names. While doing this I looked at the question of whether the SSL bindings of an IIS web site are updated - and they were not. The updated script fixes this.

Here's how to update the SSL bindings to use an updated/changed certificate:

# Get a single certificate
$cert = Get-Item "Cert:\LocalMachine\WebHosting\$thumbprint"
# Remove any existing binding
remove-item -path "IIS:\SslBindings\*!443!$domain"
# Add a new binding
New-Item -Path "IIS:\SslBindings\*!443!$domain" -Value $cert -SSLFlags 1