“The parameter is incorrect.” error using netsh http add sslcert

Question

Following the instructions on \"How to: Configure a Port with an SSL Certificate\" in this link: http://msdn.microsoft.com/en-us/library/ms733791.aspx, I entered this comman

Answer 1

I faced this problem several times and every time it had a different cause, so I decided to write the causes and exact command that worked for me.

Here are some causes:

1- Copy and pasting certificate thumbprint from windows dialog adds a hidden character to your hash. It is not visible in text editors but you need to remove the character to make it work.

2- SSL thumbprint should be available in Personal -> Certificates to work with localhost.

3-It should be 'ipport=' not 'ipport:'

4- SSL certificate should have a private key. If you are using certificate management console, make sure that it has a little key icon on the certificate view.

5- GUID should be defined in full format: {a10b0420-a21f-45de-a1f8-818b5001145a}, and it should have one quote in powershell: '{a10b0420-a21f-45de-a1f8-818b5001145a}' Thus, PowerShell format is different from command line.

6- SSL Cert should have complete characters with all padding '0's and without any space. You may copy thumbprint (be careful to remove special hidden character) and remove spaces, or use 'netsh http show sslcert' to get the value if the certificate is already registered for another address.

What worked for me:

Here is the exact command that worked for me in powershell:

netsh http add sslcert ipport=0.0.0.0:20001 certhash=5304c034548b27c72b5e9c14f0c7bdd13e52d760 appid='{a10b0420-a21f-45de-a1f8-818b5001145a}'

And here is the command line statement:

netsh
http add sslcert ipport=0.0.0.0:20001 certhash=5304c034548b27c72b5e9c14f0c7bdd13e52d760 appid={a10b0420-a21f-45de-a1f8-818b5001145a}

More commands to help you avoid related problems:

Use the following command to see current registered certificate. You may find and reuse certhash or your appid from there:

netsh http show sslcert

If the certificate is already registered with similar ip and port, you need to remove it. I found it cause problem with localhost, 127.0.0.1 and 0.0.0.0. You need to have only 0.0.0.0 registered in your testing environment. Use the following command to remove potential corrupted certificates:

netsh http delete sslcert ipport=0.0.0.0:20001

Answer 2

Another possible cause for this problem is hidden characters being copied from the Certificate Manager page. If you copy the thumbprint from the details window in Certificates, check for a hidden character at the start (use your arrow keys!). This was the cause for me of the "The Parameter is Incorrect" error message.

Answer 3

I was getting this error as well when I was just getting started with http.sys. After I ran:

netsh http add iplisten ipaddress=0.0.0.0

then the netsh http add sslcert commands started behaving properly.

Answer 4

Using the Serial number instead of the Thumbprint for the certhash parameter will cause this error because of the difference in the amount of characters. Padding with 0s will change the error to SSL Certificate add failed, Error: 1312

Answer 5

In PowerShell just type as follows. first get into netsh http mode and then add sslcert. It's worked for me.

>netsh

netsh>http

netsh http>add sslcert ipport=0.0.0.0:13286 appid='{a5455c78-6489-4e13-b395-47fbdee0e7e6}' certhash=<thumprint without space>

Answer 6

In my case the problem is that I following the microsoft inscructions I copied the thumbprint from the SSL window. the thing is that doing so copies non-printable character at the beginning of the hash.

Try to paste the thumbprint into notepad and then press home and pres delete twice (until the first char from the thumbprint is deleted) and the re-add the char. You can see the char if you copy the thumbprint and paste it into cmd: