The command line tool Http(s) Service Deployment Helper (HttpSDH) is designed to simplify the deployment of HTTP/HTTPS services. At the same time it makes the experience of using HTTPS similar to that of using certificate-based WCF message security.
The HttpSDH tool works on the config file of the application. It parses the
config to gather the HTTP/HTTPS endpoints and do the three tasks listed below as specified.
1. Register a server certificate with the right parameters at HTTP.SYS.
2. Make a namespace reservation at HTTP.SYS to give access to the user account under which the server process will be running.
3. Change the ACL on the private key file of the server certificate to give
read access to the user.
To bring a similar experience with message security, the tool also looks at the behavior specified on the serviceHost element for server certificate query information and honor that if found.
The rationale behind building and using such a tool is that deploying a WCF service using the HTTP/HTTPS transport often requires the three tasks listed above, which are more difficult than one might expect. If you want to deploy a selfhosted WCF HTTPS service, you must do the first task. If your service needs to run as a non-administrative user or to run on Vista with UAC, you'll have to do the other two. The HttpSDH tool can do all three tasks above and can be used in the deployment script to eliminate the need for manual configuration.
Note that you have to put base addresses or absolute endpoint addresses in the config file for this tool to work.
Here is the usage of this tool:
HttpSDH <ConfigFileName> [options]+
/RegCert: add the SSL server certificate binding at HTTP.SYS; the default server certificate is the one specified in the behavior/serviceCredentials referenced by the endpoint.
/UseMachineCert: pick a good machine certificate (i.e. certificates in LocalMachine/My store whose CN matches the FQDN of machine), used with /RegCert
/CertThumbprint <Thumbprint>: specify the thumbprint of the certificate (in LocalMachine/My store), used with /RegCert
/ChangeACL: change the ACL of the certificate's private key file to allow the user or to add DCAL in the given SDDL, used with /RegCert
/ResNS: make namespace reservation at HTTP.SYS
/UserNames <name>: a list of Windows accounts to reserve the namespace for, separated by comma or semicolon, used with /ResNS
/SDDL <SDStringRepresentation>: the SD string to reserve the namespace with, used with /ResNS; if no UserName or SDDL given, default to allowing authenticated users
/UnregCert: delete the SSL server certificate binding from HTTP.SYS
/UnresNS: delete the namespace reservation from HTTP.SYS
/Force: overwrite the existing SSL server certificate binding or namespace reservation
Sample usage:
HttpSDH <ConfigFile> /RegCert /ResNS
- Register the certificate specified in the config file
- Reserve namespace for Authenticated Users
HttpSDH <ConfigFile> /RegCert /UseMachineCert /ChangeACL /ResNS /UserNames FooDomain\BarUser /Force
- Register a valid machine certificate
- Change the ACL of the private key file of the certificate to allow FooDomain\BarUser to read it
- Reserve namespace for FooDomain\BarUser
- Delete the existing registration or reservation if it exists
HttpSDH <ConfigFile> /RegCert /ChangeACL /ResNS /SDDL D:(A;;GA;;;NS) /Force
- Register the certificate specified in the config file
- Change the ACL of the private key file of the certificate to allow Network Service to read it
- Reserve namespace for Network Service
- Delete the existing registration or reservation if it exists
HttpSDH <ConfigFile> /UnregCert /UnresNS
- Delete the certificate registration
- Delete the namespace reservation
Update (on 10/11/06):
- Fixed bugs on setting the SDDL for namespace reservation
- Added a new flag /Verbose to print out the work progress
Update (on 04/06/07):
- Fixed bugs on mex bindings