Certificate provisioning for Microsoft IIS 6 webservers
This script, written in VBScript will automatically provision a Microsoft IIS 6 Web Server, hosting secure websites, with the required SSL/TLS certificates.
If a certificate does not exist or is about to expire the script will requests a new certificate from PGP Universal Server for every website configured.
PGP Command Line Version required (min): 10.0.0
PGP Universal Server Version required (min): 3.0.0
Script language: VBScript
Developed for platform: Windows 2003 Server
Platforms the script will work on: Windows XP, Windows Vista, Windows 2003 Server
This script is only for use with Microsoft Internet Information Server (IIS) 6. It will not work with Microsoft IIS 7 running on Windows 2008 Server
The websites that should be managed need to be defined by name in the script's configuration section. Please see readme for details
REQUIREMENTS: ------------- * A reachable Universal server * An SSL-enabled Microsoft IIS 6 installation, on Windows 2003 Server or Windows XP or Windows Vista. - Working configuration for IIS, with at least one SSL host. Multiple SSL hosts are recommended, on separate IP addresses. * A licensed PGP Command Line on the same machine as the IIS server. SETUP: ------ * Copy the script from to the target windows box. * Edit the "config" section at the top of the script to match the IP or hostname of the PGP Universal Server, the username and password to authenticate to Universal Server * Edit the aray "HOSTNAMES" in the "config" section at the top of the script to define the hostnames for the certificates per instance. If this is not configured, then the script will try to guess the hostname through (in this order) reading it from a unsecured binding, doing a reverse lookup on the ip, using the server's hostname. It is recommended to always define the hostname in this array. The array contains multiple strings in the form "INSTANCENAME:HOSTNAME" where INSTANCENAME is the display name of the instance as shown and defined in the IIS Manager (e.g. "Default Web Site") and HOSTNAME is the desired full qualified domain name for the certificate. Examples: one instance: HOSTNAMES = array("Default Web Site:www.senderdomain.com") two instances: HOSTNAMES = array("Default Web Site:www.senderdomain.com","Intranet Site:intranet.senderdomain.com") three instances: HOSTNAMES = array("Default Web Site:www.senderdomain.com","Intranet Site:intranet.senderdomain.com","Webmail:mail.senderdomain.com") * Run an authenticated PGP Command Line KMS command and tell it to cache the authentication cookie. E.g.,: pgp --usp-server 172.16.101.10 --usp-search-mak 'NOT(EQ(NAME,""))' --brief \ --usp-cache-auth --auth-username usp-user --auth-passphrase passphrase The script assumes an authentication cookie exists. If it does not, it will fail with permission errors. Also note that the USP server string given on this command has to match the one in the config file; it is not sufficient that they resolve to the same machine. TESTING/DEMO ------------ * For testing recognition of a valid existing configuration, just run the script (as administrator) on the existing config. If the cert/key are valid, they should be recognized (and assuming verbose mode, it will be displayed). * For testing missing keys or certs, remove either the key from one of the configured hosts. Run the script. A new cert and key should be configured and put in place. * For testing expired certs, change the date on the IIS host and Universal Server. Run the script, and make sure the certificate gets replaced.