Using netsh, bind an SSL certificate to a port number is failing

Question

I have followed the instructions in SSL with Self Hosted WCF Service. When I am trying to bind the certificate on Windows 7 using netsh as described in How to: Conf

Answer 1

We faced the same error and after long hours, we realized that netsh was not browsing all local machine stores to find the certificate identified by the "certhash" parameter. By default, it searches the certificate in the "personal" store and only there.

As our certificate was not in the "personal" store but in the "Trusted Root Certification Authorities" store, the problem was solved by adding the "certstorename" parameter in the netsh command:

C:\>netsh http add sslcert ipport=0.0.0.0:8732 certstorename=AuthRoot certhash=...  

Answer 2

Another thing to be aware of is that copy/paste the certificate hash from MMC console certificate property window, may also bring a funny char at the start of the hash. You won't see it because this char is INVISIBLE in the UTF-8 encoding your text editor is likely using!

Netsh does not help as it just keeps failing with "the parameter is incorrect" without disclosing which parameter ;)

Changing the encoding to ANSI shows the char, delete it and it'll work like a charm

Answer 3

"Official" (not self signed) certificates (e.g. from Thawte) are imported in the certificate store: „Trusted Root Certification Authorities“.
If no parameter "certstorename=" is passed in the netsh command, netsh takes "MY" what represents the "Private" store.
To bind an official certificate, you have to add:

certstorename=Root

to the netsh command.

Full information