Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Certificate provisioning for Microsoft IIS 6 webservers

Created: 08 Apr 2011 • Updated: 11 Apr 2011
Andreas Zengel's picture

This script, written in VBScript will automatically provision a Microsoft IIS 6 Web Server, hosting secure websites, with the required SSL/TLS certificates.

If a certificate does not exist or is about to expire the script will requests a new certificate from PGP Universal Server for every website configured.
PGP Command Line Version required (min): 10.0.0
PGP Universal Server Version required (min): 3.0.0
Script language: VBScript
Developed for platform: Windows 2003 Server
Platforms the script will work on: Windows XP, Windows Vista, Windows 2003 Server
This script is only for use with Microsoft Internet Information Server (IIS) 6. It will not work with Microsoft IIS 7 running on Windows 2008 Server
The websites that should be managed need to be defined by name in the script's configuration section. Please see readme for details

* A reachable Universal server
* An SSL-enabled Microsoft IIS 6 installation, on Windows 2003 Server or 
  Windows XP or Windows Vista.
  - Working configuration for IIS, with at least one SSL
    host. Multiple SSL hosts are recommended, on separate IP
* A licensed PGP Command Line on the same machine as the IIS server.
* Copy the script from to the target windows box.
* Edit the "config" section at the top of the script to match the IP
  or hostname of the PGP Universal Server, the username and password  
  to authenticate to Universal Server
* Edit the aray "HOSTNAMES" in the "config" section at the top of the script
  to define the hostnames for the certificates per instance. If this is not  
  configured, then the script will try to guess the hostname through (in this
  order) reading it from a unsecured binding, doing a reverse lookup on the ip,
  using the server's hostname. It is recommended to always define the hostname
  in this array. The array contains multiple strings in the form
  "INSTANCENAME:HOSTNAME" where INSTANCENAME is the display name of the instance
  as shown and defined in the IIS Manager (e.g. "Default Web Site") and HOSTNAME
  is the desired full qualified domain name for the certificate. Examples:
  one instance:
    HOSTNAMES   = array("Default Web")
  two instances:
    HOSTNAMES   = array("Default Web","Intranet")
  three instances:
    HOSTNAMES   = array("Default Web","Intranet","")
* Run an authenticated PGP Command Line KMS command and tell it to
  cache the authentication cookie. E.g.,:
  pgp --usp-server --usp-search-mak 'NOT(EQ(NAME,""))' --brief \
       --usp-cache-auth --auth-username usp-user --auth-passphrase passphrase 

 The script assumes an authentication cookie exists. If it does not,
  it will fail with permission errors. Also note that the USP server string
  given on this command has to match the one in the config file; it is
  not sufficient that they resolve to the same machine.
* For testing recognition of a valid existing configuration, just run
  the script (as administrator) on the existing config. If the cert/key are
  valid, they should be recognized (and assuming verbose mode, it will
  be displayed).
* For testing missing keys or certs, remove either the key from one of the  
  configured hosts. Run the script. A new cert and key should be configured
  and put in place.
* For testing expired certs, change the date on the IIS host and Universal Server.
  Run the script, and make sure the certificate gets replaced.