IIS7 add certificate to site from command line

I've found through APPCMD that most of IIS7 configuration is possible through the command line. One thing I've not figured out how to do yet: in IIS Manager, Bindings -> Edit -> pick an SSL Certificate.

"appcmd set site /site.name:foo /?" lists 2 keys that start with "bindings" ("protocol", "bindingInformation") but I haven't found out what they are.

Some other place suggested that "netsh" could do this, but "netsh http show sslcert" shows my certificate as bound to "0.0.0.0:443" and not to particular IIS7 sites.

Given that I know the IIS7 name/ID of a site, and the hash of my certificate (which is already the cert on other sites here), is there any way to make it the SSL cert for another IIS7 site, from the command line?

UPDATE: I did this in the UI, and diff'd the registry, and see that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 (also in ControlSet0001) is created with my SslCertHash, and an AppId that looks just like the UUID that "netsh http show sslcert" prints but with each section reversed (81e1c34d4be121...). I think I read that this is the AppId for IIS apps, but I'm not sure. It doesn't change in the registry when I delete the Site in IIS Manager and switch to another Site with this SSL cert. Anyway, this looks like the same level of granularity that netsh provides, so I really don't know where IIS Manager gets its per-Site bindings SSL cert assignment.


To call out the bits, this is different from IIS6 and earlier. In IIS 6, the metabase contained the socket, the certificate hash associated with the socket, and so on. In 7, the IIS config just contains a socket (a.b.c.d:443) and lets the OS worry about the certificate management stuff on that socket. (Through the GUI, it's designed to look roughly how it used to). The rule is: you can only have one certificate bound to one socket.

IIS:

In IIS 7, IIS doesn't actually care about the certificate binding. I know, like, gasp, right?

In IIS7, all the IIS configuration does is tie IIS to a specific socket (IP + port). That's it. Makes the configuration much more portable between boxes when you don't need to uniquify the certificate hash on each one.

IIS config is managed using APPCMD or {insert IIS 7 management tool of choice here}, by creating a binding for the site to a socket.

OS:

The OS layer takes over control of the SSL part, so you use NETSH to associate a certificate with a particular socket.

This is done through NETSH.

Sukesh posted a guide to both bits a long time ago, and it's still valid: https://stackoverflow.com/questions/591597/how-to-assign-a-ssl-certificate-to-iis7-site-from-command-prompt