An important part of any web server build is to install a valid SSL cert and bind it to the sites. In a regular IT team certs are misunderstood since it is something they do only when they expire or when there is a new server to build, some even fear dealing with certs. New IT teams are building servers and infrastructure as code and this step makes it easy to deploy and bind the certs when using windows and IIS.

Step One: Prep the cert

Azure DevOps and Ansible variables are tricky and if you have special characters like dollar signs the variable might not work. As a work around I make sure that my PFX have a long password (25+ Characters) with caps, numbers and letters. If your cert has characters that break the import and you can confirm manually then change the password with 2 simple steps in any Linux terminal

openssl pkcs12 -in certwithbadpassword.pfx -out tmpmycert.pem -nodes
Enter Import Password: [badpassword]

openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem
Enter Export Password: [longpasswordwithoutspecialchars]

Step Two: Upload the cert as a secure file in AzDo

Follow the steps below to upload the cert to your Azure DevOps Library as a secure file.

Select the Secure Files tab.

Step Three: Start the pipeline for the playbook.

Our first task in our release pipeline will be to download the cert to the agent running the job. Since we are using the secure file option the cert will only be downloaded during the run and not cached locally.

Step Four: Create the playbook

The first task in our playbook will be to copy the PFX over to the servers, then we import the certificate chain into the stores and lastly we bind it in IIS. The hash in the screenshot below has been scrambled

Result:

You have the PFX copied over, available and bound to all for port 443

Sources:

Secure Files: https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops

Ansible Windows File Copy: https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_copy_module.html

Ansible Windows Certificates : https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_certificate_store_module.html