This script, written in VBScript will automatically provision a Microsoft IIS 6 Web Server, hosting secure websites, with the required SSL/TLS certificates.
If a certificate does not exist or is about to expire the script will requests a new certificate from PGP Universal Server for every website configured.
PGP Command Line Version required (min): 10.0.0
PGP Universal Server Version required (min): 3.0.0
Script language: VBScript
Developed for platform: Windows 2003 Server
Platforms the script will work on: Windows XP, Windows Vista, Windows 2003 Server
Notes:
This script is only for use with Microsoft Internet Information Server (IIS) 6. It will not work with Microsoft IIS 7 running on Windows 2008 Server
The websites that should be managed need to be defined by name in the script's configuration section. Please see readme for details
Readme:
REQUIREMENTS:
-------------
* A reachable Universal server
* An SSL-enabled Microsoft IIS 6 installation, on Windows 2003 Server or
Windows XP or Windows Vista.
- Working configuration for IIS, with at least one SSL
host. Multiple SSL hosts are recommended, on separate IP
addresses.
* A licensed PGP Command Line on the same machine as the IIS server.
SETUP:
------
* Copy the script from to the target windows box.
* Edit the "config" section at the top of the script to match the IP
or hostname of the PGP Universal Server, the username and password
to authenticate to Universal Server
* Edit the aray "HOSTNAMES" in the "config" section at the top of the script
to define the hostnames for the certificates per instance. If this is not
configured, then the script will try to guess the hostname through (in this
order) reading it from a unsecured binding, doing a reverse lookup on the ip,
using the server's hostname. It is recommended to always define the hostname
in this array. The array contains multiple strings in the form
"INSTANCENAME:HOSTNAME" where INSTANCENAME is the display name of the instance
as shown and defined in the IIS Manager (e.g. "Default Web Site") and HOSTNAME
is the desired full qualified domain name for the certificate. Examples:
one instance:
HOSTNAMES = array("Default Web Site:www.senderdomain.com")
two instances:
HOSTNAMES = array("Default Web Site:www.senderdomain.com","Intranet Site:intranet.senderdomain.com")
three instances:
HOSTNAMES = array("Default Web Site:www.senderdomain.com","Intranet Site:intranet.senderdomain.com","Webmail:mail.senderdomain.com")
* Run an authenticated PGP Command Line KMS command and tell it to
cache the authentication cookie. E.g.,:
pgp --usp-server 172.16.101.10 --usp-search-mak 'NOT(EQ(NAME,""))' --brief \
--usp-cache-auth --auth-username usp-user --auth-passphrase passphrase
The script assumes an authentication cookie exists. If it does not,
it will fail with permission errors. Also note that the USP server string
given on this command has to match the one in the config file; it is
not sufficient that they resolve to the same machine.
TESTING/DEMO
------------
* For testing recognition of a valid existing configuration, just run
the script (as administrator) on the existing config. If the cert/key are
valid, they should be recognized (and assuming verbose mode, it will
be displayed).
* For testing missing keys or certs, remove either the key from one of the
configured hosts. Run the script. A new cert and key should be configured
and put in place.
* For testing expired certs, change the date on the IIS host and Universal Server.
Run the script, and make sure the certificate gets replaced.
Attachment: