Binding certificates to SSL Ports for SignalR/StifleR

Self-hosting under HttpListener is wonderful and completely self-contained, but one of the downsides of not being integrated with IIS is that it cannot be aware of any certificates that are installed for IIS. This means that any certificates you want to use must be explicitly bound to a Port. If you can use IIS certificates and if you need to acquire a full certificate for use with a self-hosted application, going through the IIS certificate process is the easiest way to get the certificate loaded. If you require a certificate for local testing then it is quite easy to use the IIS self-signed certificate creation tool to create this component.

For now, let's assume that you already have a certificate installed into the Windows certificate store. In order to bind a certificate to the StifleR endpoint, you have to use the NETSH command line utility to register it on the machine (entered all on one line, split below for readability):

netsh http add sslcert ipport= 

For every endpoint mapping you need to supply 3 values:

1. The ipport which identifies the ip and port

Specified as ipport= where the zeros mean all ip addresses on port 1414. You can also specify a specific IP Address if required.

2. An AppID which is fixed for HttpListener Hosting

This value is static so always use appid={12345678-db90-4b66-8b01-88f7af2e36bf}

3. The certhash which is the Certificate's Thumbprint. Here's how to find the certhash

The certhash is the id that maps the certificate to the IP endpoint above. You can view this hash in the properties of the certificate in the Windows Certificate store. This is covered in the next section.

Once the above command has been run you can check if it was successful by checking the binding as follows:

netsh http show sslcert ipport=

which should give you a display similar to the following:

Repeat the above procedure for port 9000 (or other port used for the Web API)

Last updated