IIS SSL: How To Powershell Script Client Cert Required

I recently was asked how to script the IIS SSL setting to require client certificates (see figure below) using Powershell.  We needed to automate the setting since it was part of an Azure deployment.  There are other methods of doing this, but since we were using Powershell for everything else, we preferred to keep a consistent approach.


I went off to figure it out and here is what I came up with.  First make sure you enable the IIS cmdlets by running Import System Modules within the Windows PowerShell Modules selection of the Administrative Tools menu:


Once those modules are imported in your Powershell session, you can set the SSL options with the command below (replace the –location argument with your site name):

PS C:\>Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'Default Web Site/CertEnroll' -filter "system.webServer/security/access" -name "sslFlags" -value "Ssl,SslNegotiateCert,SslRequireCert"

Please note that the command above is finicky.  Don't put spaces between the settings quoted in the –value argument (ie NO spaces in here "Ssl,SslNegotiateCert,SslRequireCert").

To get the current setting for the site use the command below:

PS C:\>Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'Default Web Site/CertEnroll’ -filter "system.webServer/security/access" -name "sslFlags"


Other links of interest:

How to set up SSL on IIS 7

Specify Whether to Use Client Certificates (IIS 7)

Comments (3)

  1. SeanKnox says:

    I'm in the middle of scripting a deployment and I can clearly see from my manual deployment that Get-WebConfigurationProperty should work using SSLflags however I'm only able to pass numbers to SSLflags, it doesn't accept a string. To get around this I used Set-Webconfiguration instead. Hope this helps someone else.

    Set-WebConfiguration -value "Ssl,SslNegotiateCert,SslRequireCert" -filter "system.webserver/security/access" -location $svcwebsitename

  2. SeanKnox says:

    Actually I figured out the issue its because of the /certenroll, whihc is your virtual directory. When doing a Get-WebConfig using my website/certenroll it works fine but when setting the configuration, I of course need to get rid of the non existent virtual directory. Thank you for your post.

  3. J Provencher says:

    Is there a way to get the setting of SSLFlags remotely?

Skip to main content