SslCertBinding.Net 3.0.0-beta.1

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. .NET Framework 4.6.2 This package targets .NET Framework 4.6.2. The package is compatible with this framework or higher.
This is a prerelease version of SslCertBinding.Net. 
dotnet add package SslCertBinding.Net --version 3.0.0-beta.1
                    


                    

                
NuGet\Install-Package SslCertBinding.Net -Version 3.0.0-beta.1
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="SslCertBinding.Net" Version="3.0.0-beta.1" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="SslCertBinding.Net" Version="3.0.0-beta.1" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="SslCertBinding.Net" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add SslCertBinding.Net --version 3.0.0-beta.1
                    


                    

                
#r "nuget: SslCertBinding.Net, 3.0.0-beta.1"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package SslCertBinding.Net@3.0.0-beta.1
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=SslCertBinding.Net&version=3.0.0-beta.1&prerelease
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=SslCertBinding.Net&version=3.0.0-beta.1&prerelease
                    


                            Install as a Cake Tool

SslCertBinding.Net

alternate text is missing from this package README image alternate text is missing from this package README image alternate text is missing from this package README image alternate text is missing from this package README image alternate text is missing from this package README image

SslCertBinding.Net is a library for .NET and Windows and provides a simple API to add, remove or retrieve bindings between a https port and a SSL certificate.

This library can be considered as a programmatic alternative to Windows command line tools netsh http show|add|delete sslcert or httpcfg query|set|delete ssl.

Important: The library uses the Win32 API and works on the Windows platform only.

Installation

To get started, add the SslCertBinding.Net NuGet package to your project by running the following command:

dotnet add package SslCertBinding.Net

Usage

The public API is centered on SslBindingConfiguration.

The current implementation supports these binding families:

  • ipport=<ip>:<port>
  • hostnameport=<host>:<port>
  • ccs=<port>
  • scopedccs=<host>:<port>
Netsh shape Recommended key type Recommended binding type
ipport=1.1.1.1:443 IpPortKey IpPortBinding
ipport=0.0.0.0:443 IpPortKey IpPortBinding
hostnameport=www.contoso.com:443 HostnamePortKey HostnamePortBinding
ccs=443 CcsPortKey CcsPortBinding
scopedccs=www.contoso.com:443 ScopedCcsKey ScopedCcsBinding 
#nullable enable

var config = new SslBindingConfiguration();
var certificate = new SslCertificateReference("372680E4AEC4A57CAE698307347C65D3CE38AF60");
var appId = Guid.Parse("214124cd-d05b-4309-9af9-9caa44b2b74a");

config.Upsert(new IpPortBinding(
    new IpPortKey(IPAddress.Parse("0.0.0.0"), 443),
    certificate,
    appId));

config.Upsert(new HostnamePortBinding(
    new HostnamePortKey("www.contoso.com", 443),
    certificate,
    appId));

config.Upsert(new CcsPortBinding(
    new CcsPortKey(443),
    appId));

config.Upsert(new ScopedCcsBinding(
    new ScopedCcsKey("www.contoso.com", 443),
    appId));

IReadOnlyList<ISslBinding> allBindings = config.Query();
HostnamePortBinding? sniBinding = config.Find(new HostnamePortKey("www.contoso.com", 443));
IpPortBinding? ipBinding = config.Find(new IpPortKey(IPAddress.Parse("0.0.0.0"), 443));
CcsPortBinding? ccsBinding = config.Find(new CcsPortKey(443));
ScopedCcsBinding? scopedCcsBinding = config.Find(new ScopedCcsKey("www.contoso.com", 443));
HostnamePortBinding? sniBindingFromEndPoint = config.Find(new DnsEndPoint("www.contoso.com", 443).ToHostnamePortKey()!);
ScopedCcsBinding? scopedCcsBindingFromEndPoint = config.Find(new DnsEndPoint("www.contoso.com", 443).ToScopedCcsKey()!);
IpPortBinding? ipBindingFromEndPoint = config.Find(new IPEndPoint(IPAddress.Parse("0.0.0.0"), 443).ToIpPortKey()!);

if (sniBinding is not null)
{
    Console.WriteLine(sniBinding.Certificate.Thumbprint);
}

config.Delete(new HostnamePortKey("www.contoso.com", 443));
config.Delete(new IpPortKey(IPAddress.Parse("0.0.0.0"), 443));
config.Delete(new CcsPortKey(443));
config.Delete(new ScopedCcsKey("www.contoso.com", 443));
config.Delete(new DnsEndPoint("www.contoso.com", 443).ToHostnamePortKey());
config.Delete(new DnsEndPoint("www.contoso.com", 443).ToScopedCcsKey());
config.Delete(new IPEndPoint(IPAddress.Parse("0.0.0.0"), 443).ToIpPortKey()!);

If you want family-specific enumeration, you can use:

IReadOnlyList<IpPortBinding> ipBindings = config.Query<IpPortBinding>();
IReadOnlyList<HostnamePortBinding> hostnameBindings = config.Query<HostnamePortBinding>();
IReadOnlyList<CcsPortBinding> ccsBindings = config.Query<CcsPortBinding>();
IReadOnlyList<ScopedCcsBinding> scopedCcsBindings = config.Query<ScopedCcsBinding>();

Exact lookup uses Find(...). It returns the matching binding or null when no binding exists for the specified key.

SslCertificateReference does not accept a null store name. Use new SslCertificateReference(thumbprint) when you want the default MY store, or pass an explicit non-null store name when you want a different store.

IpPortKey, HostnamePortKey, and ScopedCcsKey define implicit conversions to and from the matching IPEndPoint or DnsEndPoint shapes where that mapping is natural. IPEndPoint.ToIpPortKey() is the IP-family helper, while DnsEndPoint uses explicit ToHostnamePortKey() and ToScopedCcsKey() conversions so the hostname-based families stay unambiguous.

Only IpPortBinding and HostnamePortBinding expose SslCertificateReference. CcsPortBinding and ScopedCcsBinding rely on HTTP.sys central certificate store resolution and therefore do not carry certificate thumbprint/store state in the public model.

BindingOptions support is not identical across the CCS families. ScopedCcsBinding can use the shared option surface, but CcsPortBinding is currently limited to default options only because HTTP.sys rejects non-default plain CCS option combinations on environments where CCS support is available.

The type model uses a hybrid interface/class model:

  • ISslBinding is the non-generic root for mixed-family enumeration.
  • SslBinding<TKey> provides the typed Key plus shared binding-state implementation for each binding family.

Legacy API

The legacy IP-only API remains available as a soft migration path:

  1. CertificateBinding, ICertificateBindingConfiguration, and CertificateBindingConfiguration still ship in this version.
  2. They are marked obsolete and hidden from IntelliSense for new code.
  3. They remain intentionally limited to ipport bindings.
  4. They do not enumerate or expose hostnameport/SNI bindings.

Legacy usage remains supported:

#pragma warning disable CS0618
var legacyConfig = new CertificateBindingConfiguration();
legacyConfig.Bind(new CertificateBinding(
    "372680E4AEC4A57CAE698307347C65D3CE38AF60",
    StoreName.My,
    new IPEndPoint(IPAddress.Any, 443),
    Guid.Parse("214124cd-d05b-4309-9af9-9caa44b2b74a")));

IReadOnlyList<CertificateBinding> legacyBindings = legacyConfig.Query();
#pragma warning restore CS0618

Recommended migration:

var migratedConfig = new SslBindingConfiguration();
migratedConfig.Upsert(new IpPortBinding(
    new IpPortKey(IPAddress.Any, 443),
    new SslCertificateReference(
        "372680E4AEC4A57CAE698307347C65D3CE38AF60",
        StoreName.My),
    Guid.Parse("214124cd-d05b-4309-9af9-9caa44b2b74a")));

IReadOnlyList<IpPortBinding> migratedBindings = migratedConfig.Query<IpPortBinding>();

FAQ

Why unit tests are failing on my PC?

Cerificates configuration needs elevated permissions. Run Visual Studio as an Administrator before running unit tests.

I am getting the error "A specified logon session does not exist. It may have already been terminated". How to fix it?

Make sure that you have installed your certificate properly, certificate has a private key, your private key store is not broken, etc. Try binding your certificate with netsh CLI tool. If you get the same error it should not be a bug in SslCertBinding.Net.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net8.0-windows7.0 is compatible.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
.NET Framework net462 is compatible.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

  • .NETFramework 4.6.2

    • No dependencies.

  • net8.0

    • No dependencies.

  • net8.0-windows7.0

    • No dependencies.

NuGet packages (3)

Showing the top 3 NuGet packages that depend on SslCertBinding.Net:

Package Downloads
Cireson.Platform.Core.Host

Platform host.
Firenze

Legacy .NET Framework 4.8 Power Tools Library
CompuMaster.Web.TinyWebServerAdvanced

Package Description

GitHub repositories (2)

Showing the top 2 popular GitHub repositories that depend on SslCertBinding.Net:

Repository Stars
lithnet/access-manager
Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
takenet/lime-csharp
C# LIME protocol implementation
Version Downloads Last Updated
3.0.0-beta.1 59 4/25/2026
2.1.0 1,193 2/28/2026
2.0.3 27,576 10/3/2024
2.0.2 10,523 2/13/2024
2.0.1 408 2/9/2024
2.0.0 6,670 11/20/2023
1.0.2 360,929 9/15/2015
1.0.1 21,676 6/3/2015