“The parameter is incorrect.” error using netsh http add sslcert

0 votes
asked Apr 22, 2009 by derrick

Following the instructions on "How to: Configure a Port with an SSL Certificate" in this link: http://msdn.microsoft.com/en-us/library/ms733791.aspx, I entered this command on the commandline (duh):

> netsh http add sslcert ipport: certhash=5d48e604007b867ae8a69260a4ad318d2c05d8ff appid={EDE3C891-306C-40fe-BAD4-895B236A1CC8}
The parameter is incorrect.

My certhash thumbprint was taken from the certificate in Certificates(Local Computer)>Personal>Certificates folder.

The appid GUID was generated.

What else is wrong that I need to fix to get this to work?

17 Answers

0 votes
answered Jan 5, 2009 by derrick

there were a few things i did that i thought made it work after getting the same "The parameter is incorrect." Error.

1) restarted machine and did it again. it worked the first time. 2) made sure i was in c:\ and put the command again after restarting didn't work

i couldn't explain why but i think that maybe both times, there was something else wrong. because the third time this happened to me,

3) i went through the thumbprint of my CA (not the issued server cert) and copied it again from the MMC and it worked.

after this happened, i deleted it again (netsh http delete sslcert ipport= and repeated the process using the thumbprint of the server certificate. The darned thing worked again.

I dunno, just try going through the same thing I did. maybe one of these would work. In the end, i suspect that I entered a bogus space or character in the certhash.

0 votes
answered Jan 5, 2009 by cmptrgeekken

Looking at the syntax for the netsh command, I saw this example:

add sslcert ipport= certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

By the looks of it, your problem is that you're doing


as opposed to

0 votes
answered Jan 16, 2009 by tim-danner

I was getting this error as well when I was just getting started with http.sys. After I ran:

netsh http add iplisten ipaddress=

then the netsh http add sslcert commands started behaving properly.

0 votes
answered Jan 10, 2011 by abdul-hakim

In PowerShell just type as follows. first get into netsh http mode and then add sslcert. It's worked for me.



netsh http>add sslcert ipport= appid='{a5455c78-6489-4e13-b395-47fbdee0e7e6}' certhash=<thumprint without space>
0 votes
answered Jan 24, 2011 by christopher-broome

I ran across this question while looking for a solution to the problem. I finally found one that worked for me.

My certhash parameter wasn't fully 20 bytes long. I had to pad it with zeroes in front to get it to work.

So, instead of

certhash=112233445566778899aabbccddeeff00, I had to do this:


Hope this helps.

0 votes
answered Jan 7, 2013 by richard

Another possible cause for this problem is hidden characters being copied from the Certificate Manager page. If you copy the thumbprint from the details window in Certificates, check for a hidden character at the start (use your arrow keys!). This was the cause for me of the "The Parameter is Incorrect" error message.

0 votes
answered Jan 20, 2013 by martin-clemens-bloch

The "-"s are NOT irrelevant. If your guid doesnt look exactly like this you will get the incorrect parameter error: {EDE3C891-306C-40fe-BAD4-895B236A1CC8} vs. EDE3C891306C40feBAD4895B236A1CC8 -> WRONG {EDE3C891306C40feBAD4895B236A1CC8} -> WRONG

Also Im using the guid for the appid of the IIS, not a random one.

0 votes
answered Jan 21, 2013 by simsimy

In my case the problem is that I following the microsoft inscructions I copied the thumbprint from the SSL window. the thing is that doing so copies non-printable character at the beginning of the hash.

Try to paste the thumbprint into notepad and then press home and pres delete twice (until the first char from the thumbprint is deleted) and the re-add the char. You can see the char if you copy the thumbprint and paste it into cmd:

thumbprint with "?"

0 votes
answered Jan 5, 2014 by gmlewisii

Sir, you have ipport: rather than ipport= which is easy to do since you follow that with ip:port

Also, watch out for the { versus < or (, that has also gotten me in the past.

0 votes
answered Jan 8, 2014 by codingoutloud

The PowerShell command line and PowerShell scripts in ps1 files will think curley-braces {...} are PowerShell directives. So quote them. Otherwise, as you have seen, PowerShell will be confused.

So rather than this (which you found fails):

netsh http add sslcert ipp ort: certhash=5d48e604007b867ae8a69260a4ad318d2c05d8ff appid= {EDE3C891-306C-40fe-BAD4-895B236A1CC8} 

Do this (note the single quotes):

netsh http add sslcert ipp ort: certhash=5d48e604007b867ae8a69260a4ad318d2c05d8ff appid= '{EDE3C891-306C-40fe-BAD4-895B236A1CC8}'

Here is some information about PowerShell syntax with curley braces:


Welcome to Q&A, where you can ask questions and receive answers from other members of the community.
Website Online Counter