There are cases when you install WebApps where the user is asked to select a SSL certificate during installation. The related certificate being used by the IIS elements.
Although Advanced Installer has predefined support for this, in case you also want to preserve the SSL certificate the the website during an upgrade, this is not possible. Using the predefined support you would have to always ask the user for the SSL certificate.
In order to avoid asking the user for the certificate you can implement a custom action that during a first time install will configure the website with the selected certificate by the user.
On upgrade, there will be another custom action that will get the certificate that was assigned for the website and use it when installing the upgraded package.
During an upgrade, the website installed by the old version will be removed and reinstalled by the new version.
1) Create the dialog where the user will have to enter the IIS elements:
To allow the user to select the SSL certificate during installation, please take a look on the How to select an external file during the installation article.
2) Create the IIS Website in IIS page. The webste name can be configured during installation.
No other change was made for the website, the default values were keept.
3) Add the custom action that will configure the website for the first time install
For this, I've used the predefined Execute inline powershell script, configured as follow:
and has the following code:
Code: Select all
# Block for declaring the script parameters.
Param($siteName, $certPath, $CertificatePassword)
# Your code goes here.
#convert pass to secure
$sSecStrPassword = ConvertTo-SecureString -String $CertificatePassword -Force –AsPlainText
$certThumbprint = (Import-PfxCertificate -FilePath $certPath -Password $sSecStrPassword -CertStoreLocation Cert:\LocalMachine\My).Thumbprint
# Create HTTPS binding
New-WebBinding -name "$siteName" -Protocol "https" -HostHeader "www.DemoWebsiteSSL.com" -Port 445 -SslFlags 1
# Attach certificate to HTTPS binding
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport="www.DemoWebsiteSSL.com:445" certhash="$certThumbprint" certstorename=My appid="$guid"
4.1) During an upgrade, you need to get the Thumbprint of the certificate that was used for the website:
with the following code:
Code: Select all
# Block for declaring the script parameters.
Param()
# Your code goes here.
# on upgrade, get certHash since cert is already installed
$websiteName = AI_GetMsiProperty WEBSITE_NAME
# on upgrade, get certHash since cert is already installed
$certThumbprint = (Get-WebBinding -Name "$websiteName" | ? { $_.Protocol -eq "https" }).certificateHash
AI_SetMsiProperty CERT_THUMBPRINT $certThumbprint
4.2) Add a custom action that will bind the certificate to the upgraded website:
that has the following code:
Code: Select all
# Block for declaring the script parameters.
Param($certThumbprint, $siteName)
# Your code goes here.
# Create HTTPS binding
New-WebBinding -name "$siteName" -Protocol "https" -HostHeader "www.DemoWebsiteSSL.com" -Port 445 -SslFlags 1
# Attach certificate to HTTPS binding
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport="www.DemoWebsiteSSL.com:445" certhash="$certThumbprint" certstorename=My appid="$guid"
5) The action that configures the IIS elements runs the latest in the install sequence, so you need to go in the Table Editor and make sure the powershell custom actions are running after it:
Since the user will not need to select the certificate on upgrade, the dialog can be hidden with a show only if event, the condition is NOT OLDPRODUCTS
6) Since any operation on IIS requires admin privileges, you will have to enable the run as admin option in the Install Parameters.
If this option is not selected, the custom aciton that will retrieve the Thumbprint of the certificate that was used during the first time installation will fail.
7) Also, the property that is attached for the website needs to be persistent:
I've attached a sample project that has all the above configured, so you are more than welcome to download the zip file. Also, I've attached a test SSL certificate (password is caphyon).
Another solution for this problem is presented in the Prevent IIS elements from being removed during upgrade where the IIS elements are prevented from being removed by condioning the execution of the actions that handles IIS elements.
Looking forward to hearing from you.
Best regards,
Dan