Autoenroll isn’t the only case where you may have problems here, it just is a form of the generic problem “how do you know precisely which certificate to use for any given site, programatically?”
Here are the certs, and some properties of them, for example, from my lab Windows 2016 DC, which is also my lab’s enterprise root CA and hosts the certificate autoenrollment HTTPS site. You’ll see there are 2 certs with the same CN - one of them is the LDAP autoenrolled certificate (Template = Domain Controller), and one is the IIS website autoenrolled certificate (Template = modified Web Server (2003+ version)).
So, again, in your line 3: how do I know which cert to use? The advantage of the “netsh http show sslcert” is that I can filter on the IIS binding in question, pull the precise correct thumbprint, and reuse that same thumbprint, without needing to know anything else about the certificate. The problem is that I can’t capture the netsh output.
In a single test so far, @Postanote 's method changes the default behavior when a new binding is created, so I’d need to modify that, then delete the old binding, create the new, and then set the default value back to the original, to preserve security on future websites on the same server.
PS C:\Users\rob-adm> gci cert:\localmachine\my | foreach {
if ($_.HasPrivateKey) {
Write-Host "`n" $_.Subject;
foreach ($use in $_.EnhancedKeyUsageList) {
write-Host $use ;
};
foreach ($ext in $_.Extensions) {
$ext | Select-Object -property *;
} ;
};
}
CN=dc01.test.corp
Server Authentication (1.3.6.1.5.5.7.3.1)
CN=test-DC01-CA, DC=test, DC=corp
CN=dc01.test.corp
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
CN=dc01.test.corp, OU=Domain Controllers, O=TEST, L=New York, S=NY, C=US
Server Authentication (1.3.6.1.5.5.7.3.1)
Critical Oid RawData
-------- --- -------
False System.Security.Cryptography.Oid {30, 18, 0, 87...}
False System.Security.Cryptography.Oid {48, 10, 6, 8...}
True System.Security.Cryptography.Oid {3, 2, 5, 160}
False System.Security.Cryptography.Oid {4, 20, 125, 255...}
False System.Security.Cryptography.Oid {48, 18, 130, 16...}
False System.Security.Cryptography.Oid {48, 22, 128, 20...}
False System.Security.Cryptography.Oid {48, 129, 245, 48...}
False System.Security.Cryptography.Oid {48, 130, 1, 4...}
False System.Security.Cryptography.Oid {3, 2, 1, 134}
True System.Security.Cryptography.Oid {48, 3, 1, 1...}
False System.Security.Cryptography.Oid {4, 20, 127, 193...}
False System.Security.Cryptography.Oid {2, 1, 0}
False System.Security.Cryptography.Oid {30, 32, 0, 68...}
False System.Security.Cryptography.Oid {48, 20, 6, 8...}
True System.Security.Cryptography.Oid {3, 2, 5, 160}
False System.Security.Cryptography.Oid {48, 105, 48, 14...}
False System.Security.Cryptography.Oid {4, 20, 186, 80...}
False System.Security.Cryptography.Oid {48, 22, 128, 20...}
False System.Security.Cryptography.Oid {48, 129, 245, 48...}
False System.Security.Cryptography.Oid {48, 130, 1, 4...}
False System.Security.Cryptography.Oid {48, 51, 160, 31...}
True System.Security.Cryptography.Oid {3, 2, 5, 160}
False System.Security.Cryptography.Oid {48, 10, 6, 8...}
False System.Security.Cryptography.Oid {48, 105, 48, 14...}
False System.Security.Cryptography.Oid {30, 18, 0, 87...}
False System.Security.Cryptography.Oid {4, 20, 7, 227...}
False System.Security.Cryptography.Oid {48, 22, 128, 20...}
False System.Security.Cryptography.Oid {48, 129, 245, 48...}
False System.Security.Cryptography.Oid {48, 130, 1, 4...}