Using SSL on Windows
Using SSL with Watson on Windows requires that the certificate be installed in the Windows Certificate Manager MMC snap-in. It is easiest to use IIS to generate your CSR, and then once you have your certificate and private key, import the certificate and private key into the Computer Account certificate store.
Once the certificate has been imported, double click the certificate (from within MMC) and go to the 'Details' tab to retrieve the certificate thumbprint.
Copy this value and paste it into Notepad.
You MUST use certificates installed in the Computer account and not the User account.
When copying from the Certificate Manager window into Notepad, there is often a special character, hidden from view, that is pasted into Notepad, that will cause you trouble. Be sure to delete the first character in Notepad, backspace to the beginning of the line, and re-type the first character. Remove all spaces in the thumbprint.
Next, you will need to use the netsh command to associate the certificate with the port upon which Watson is listening.
C:\> netsh http add sslcert ipport="192.168.1.10:443" certhash=thumbprint appid="{00000000-0000-0000-0000-000000000000}" certstore=My
Replace 192.168.1.10:443 with the IP and port you are using. The appid value is arbitrary and any GUID will do.
From the Command Prompt, type netsh http show sslcert to verify that your certificate is installed. THe output will appear as follows:
C:\Users\Administrator>netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : d0013e91aab93f437a4443b13e6d18bd60f0279c
Application ID : {00112233-4455-6677-8899-aabbccddeeff}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
If a binding exists for the port which you wish to use, you must first delete it. Check your existing bindings using:
C:\Users\Administrator>netsh http show urlacl
URL Reservations:
-----------------
Reserved URL : https://host.domain.com:443/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)
To delete a pre-existing binding, use:
C:\Users\Administrator> netsh http delete urlacl url=https://host.domain.com:443/
Now add the binding. It is generally best to use a specific hostname in the URL rather than + or *.
C:\Users\Administrator> netsh http add urlacl url=https://host.domain.com:443/ user=everyone listen=yes
A helpful article on Stack Overflow related to this process can be found here: https://stackoverflow.com/questions/779228/the-parameter-is-incorrect-error-using-netsh-http-add-sslcert
If you see 503 errors: https://stackoverflow.com/questions/26412602/httplistener-server-returns-an-error-503-server-unavailable https://stackoverflow.com/questions/8142396/what-causes-a-httplistener-http-503-error
Also be sure to set your listener hostname when starting Watson to either the exact hostname used above, or +