Support non-SNI SSL certificates in Http extensionbob/HttpNonSniSslCerts

Implements https://github.com/wixtoolset/issues/issues/7622

5 files changed, 457 insertions, 227 deletions

diff --git a/src/ext/Http/ca/httpca.vcxproj b/src/ext/Http/ca/httpca.vcxproj
index 42acd85d..73ded72e 100644
--- a/src/ext/Http/ca/httpca.vcxproj
+++ b/src/ext/Http/ca/httpca.vcxproj
@@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
-
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
@@ -28,7 +27,6 @@
       <Platform>ARM64</Platform>
     </ProjectConfiguration>
   </ItemGroup>
-
   <PropertyGroup Label="Globals">
     <ProjectGuid>{90743805-C043-47C7-B5FF-8F5EE5C8A2DE}</ProjectGuid>
     <ConfigurationType>DynamicLibrary</ConfigurationType>
@@ -37,35 +35,28 @@
     <ProjectModuleDefinitionFile>wixhttpca.def</ProjectModuleDefinitionFile>
     <Description>WiX Toolset Http CustomAction</Description>
   </PropertyGroup>
-
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-
   <PropertyGroup>
     <ProjectAdditionalLinkLibraries>crypt32.lib;httpapi.lib;msi.lib;rpcrt4.lib;ws2_32.lib</ProjectAdditionalLinkLibraries>
   </PropertyGroup>
-
   <ItemGroup>
     <ClCompile Include="dllmain.cpp">
       <PrecompiledHeader>Create</PrecompiledHeader>
     </ClCompile>
-    <ClCompile Include="snisslcert.cpp" />
+    <ClCompile Include="httpcerts.cpp" />
     <ClCompile Include="wixhttpca.cpp" />
   </ItemGroup>
-
   <ItemGroup>
     <ClInclude Include="cost.h" />
     <ClInclude Include="precomp.h" />
   </ItemGroup>
-
   <ItemGroup>
     <None Include="wixhttpca.def" />
   </ItemGroup>
-
   <ItemGroup>
     <PackageReference Include="WixToolset.WcaUtil" />
     <PackageReference Include="Microsoft.SourceLink.GitHub" PrivateAssets="All" />
   </ItemGroup>
-
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-</Project>
+</Project>
\ No newline at end of file
diff --git a/src/ext/Http/ca/httpca.vcxproj.filters b/src/ext/Http/ca/httpca.vcxproj.filters
index 2ccd604d..4f91b946 100644
--- a/src/ext/Http/ca/httpca.vcxproj.filters
+++ b/src/ext/Http/ca/httpca.vcxproj.filters
@@ -21,7 +21,7 @@
     <ClCompile Include="dllmain.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="snisslcert.cpp">
+    <ClCompile Include="httpcerts.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
   </ItemGroup>
@@ -37,6 +37,5 @@
     <None Include="wixhttpca.def">
       <Filter>Source Files</Filter>
     </None>
-    <None Include="packages.config" />
   </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/src/ext/Http/ca/snisslcert.cpp b/src/ext/Http/ca/httpcerts.cpp
index 81cd5298..c91dbbe1 100644
--- a/src/ext/Http/ca/snisslcert.cpp
+++ b/src/ext/Http/ca/httpcerts.cpp
@@ -27,10 +27,19 @@ typedef struct _HTTP_SERVICE_CONFIG_SSL_SNI_QUERY
 
 #endif
 
-static UINT SchedHttpSniSslCerts(
+static UINT SchedHttpCertificates(
     __in WCA_TODO todoSched
 );
-static HRESULT WriteExistingSniSslCert(
+static HRESULT FindExistingSniSslCertificate(
+    __in_z LPWSTR wzHost,
+    __in int nPort,
+    __out HTTP_SERVICE_CONFIG_SSL_SNI_SET** ppSet
+);
+static HRESULT FindExistingIpSslCertificate(
+    __in int nPort,
+    __out HTTP_SERVICE_CONFIG_SSL_SET** ppSet
+);
+static HRESULT WriteSniSslCertCustomActionData(
     __in WCA_TODO action,
     __in_z LPCWSTR wzId,
     __in_z LPCWSTR wzHost,
@@ -39,25 +48,14 @@ static HRESULT WriteExistingSniSslCert(
     __in HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSniSslSet,
     __inout_z LPWSTR* psczCustomActionData
 );
-static HRESULT WriteSniSslCert(
+static HRESULT WriteIpSslCertCustomActionData(
     __in WCA_TODO action,
     __in_z LPCWSTR wzId,
-    __in_z LPCWSTR wzHost,
     __in int iPort,
     __in int iHandleExisting,
-    __in_z LPCWSTR wzCertificateThumbprint,
-    __in_z LPCWSTR wzAppId,
-    __in_z_opt LPCWSTR wzCertificateStore,
+    __in HTTP_SERVICE_CONFIG_SSL_SET* pSniSslSet,
     __inout_z LPWSTR* psczCustomActionData
 );
-static HRESULT EnsureAppId(
-    __inout_z LPWSTR* psczAppId,
-    __in_opt HTTP_SERVICE_CONFIG_SSL_SNI_SET* pExistingSniSslSet
-);
-static HRESULT StringFromGuid(
-    __in REFGUID rguid,
-    __inout_z LPWSTR* psczGuid
-);
 static HRESULT AddSniSslCert(
     __in_z LPCWSTR wzId,
     __in_z LPWSTR wzHost,
@@ -67,43 +65,75 @@ static HRESULT AddSniSslCert(
     __in GUID* pAppId,
     __in_z LPWSTR wzSslCertStore
 );
-static HRESULT GetSniSslCert(
-    __in_z LPWSTR wzHost,
-    __in int nPort,
-    __out HTTP_SERVICE_CONFIG_SSL_SNI_SET** ppSet
+static HRESULT AddIpSslCert(
+    __in_z LPCWSTR wzId,
+    __in int iPort,
+    __in BYTE rgbCertificateThumbprint[],
+    __in DWORD cbCertificateThumbprint,
+    __in GUID* pAppId,
+    __in_z LPWSTR wzSslCertStore
 );
 static HRESULT RemoveSniSslCert(
-    __in_z LPCWSTR wzId,
+    __in_z_opt LPCWSTR wzId,
     __in_z LPWSTR wzHost,
     __in int iPort
 );
-static void SetSniSslCertSetKey(
+static HRESULT RemoveIpSslCert(
+    __in_z_opt LPCWSTR wzId,
+    __in int iPort
+);
+static void SetSniSslCertificateKeyPort(
     __in HTTP_SERVICE_CONFIG_SSL_SNI_KEY* pKey,
     __in_z LPWSTR wzHost,
     __in int iPort
 );
+static void SetIpSslCertificateKeyPort(
+    __in HTTP_SERVICE_CONFIG_SSL_KEY* pKey,
+    __in SOCKADDR_IN* pSin,
+    __in int iPort
+);
+static HRESULT EnsureAppId(
+    __inout_z LPWSTR* psczAppId,
+    __in_opt GUID* pGuid
+);
+static HRESULT StringFromGuid(
+    __in REFGUID rguid,
+    __inout_z LPWSTR* psczGuid
+);
+static HRESULT WriteCertificateCaData(
+    __in eCertificateType certType,
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z_opt LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in_z LPCWSTR wzCertificateThumbprint,
+    __in_z_opt LPCWSTR wzAppId,
+    __in_z_opt LPCWSTR wzCertificateStore,
+    __inout_z LPWSTR* psczCustomActionData
+);
 
 
-LPCWSTR vcsWixHttpSniSslCertQuery =
-L"SELECT `WixHttpSniSslCert`, `Host`, `Port`, `Thumbprint`, `AppId`, `Store`, `HandleExisting`, `Component_` "
-L"FROM `Wix4HttpSniSslCert`";
-enum eWixHttpSniSslCertQuery { hurqId = 1, hurqHost, hurqPort, hurqCertificateThumbprint, hurqAppId, hurqCertificateStore, hurqHandleExisting, hurqComponent };
+LPCWSTR vcsHttpCertificatesQuery =
+L"SELECT `HttpCertificate`, `Host`, `Port`, `Thumbprint`, `AppId`, `Store`, `HandleExisting`, `Type`, `Component_` "
+L"FROM `Wix6HttpCertificate`";
+enum eHttpCertificatesQuery { hcqId = 1, hcqHost, hcqPort, hcqCertificateThumbprint, hcqAppId, hcqCertificateStore, hcqHandleExisting, hcqType, hcqComponent };
 
 /******************************************************************
- SchedWixHttpSniSslCertsInstall - immediate custom action entry
-   point to prepare adding URL reservations.
+ SchedHttpCertificatesInstall - immediate custom action entry
+   point to prepare adding certificates.
 
 ********************************************************************/
-extern "C" UINT __stdcall SchedHttpSniSslCertsInstall(
+extern "C" UINT __stdcall SchedHttpCertificatesInstall(
     __in MSIHANDLE hInstall
 )
 {
     HRESULT hr = S_OK;
 
-    hr = WcaInitialize(hInstall, "SchedHttpSniSslCertsInstall");
+    hr = WcaInitialize(hInstall, "SchedHttpCertificatesInstall");
     ExitOnFailure(hr, "Failed to initialize");
 
-    hr = SchedHttpSniSslCerts(WCA_TODO_INSTALL);
+    hr = SchedHttpCertificates(WCA_TODO_INSTALL);
 
 LExit:
     return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
@@ -111,30 +141,30 @@ LExit:
 
 /******************************************************************
  SchedWixHttpSniSslCertsUninstall - immediate custom action entry
-   point to prepare removing URL reservations.
+   point to prepare removing certificates.
 
 ********************************************************************/
-extern "C" UINT __stdcall SchedHttpSniSslCertsUninstall(
+extern "C" UINT __stdcall SchedHttpCertificatesUninstall(
     __in MSIHANDLE hInstall
 )
 {
     HRESULT hr = S_OK;
 
-    hr = WcaInitialize(hInstall, "SchedHttpSniSslCertsUninstall");
+    hr = WcaInitialize(hInstall, "SchedHttpCertificatesUninstall");
     ExitOnFailure(hr, "Failed to initialize");
 
-    hr = SchedHttpSniSslCerts(WCA_TODO_UNINSTALL);
+    hr = SchedHttpCertificates(WCA_TODO_UNINSTALL);
 
 LExit:
     return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
 }
 
 /******************************************************************
- ExecHttpSniSslCerts - deferred custom action entry point to
-   register and remove URL reservations.
+ ExecHttpCertificates - deferred custom action entry point to
+   bind/unbind certificates.
 
 ********************************************************************/
-extern "C" UINT __stdcall ExecHttpSniSslCerts(
+extern "C" UINT __stdcall ExecHttpCertificates(
     __in MSIHANDLE hInstall
 )
 {
@@ -147,6 +177,7 @@ extern "C" UINT __stdcall ExecHttpSniSslCerts(
     LPWSTR sczHost = NULL;
     int iPort = 0;
     eHandleExisting handleExisting = heIgnore;
+    eCertificateType certificateType = ctSniSsl;
     LPWSTR sczCertificateThumbprint = NULL;
     LPWSTR sczAppId = NULL;
     LPWSTR sczCertificateStore = NULL;
@@ -161,7 +192,7 @@ extern "C" UINT __stdcall ExecHttpSniSslCerts(
     DWORD cbCertificateThumbprint = 0;
 
     // Initialize.
-    hr = WcaInitialize(hInstall, "ExecHttpSniSslCerts");
+    hr = WcaInitialize(hInstall, "ExecHttpCertificates");
     ExitOnFailure(hr, "Failed to initialize");
 
     hr = HRESULT_FROM_WIN32(::HttpInitialize(HTTPAPI_VERSION_1, HTTP_INITIALIZE_CONFIG, NULL));
@@ -177,6 +208,9 @@ extern "C" UINT __stdcall ExecHttpSniSslCerts(
     while (wz && *wz)
     {
         // Extract the custom action data and if rolling back, swap INSTALL and UNINSTALL.
+        hr = WcaReadIntegerFromCaData(&wz, reinterpret_cast<int*>(&certificateType));
+        ExitOnFailure(hr, "Failed to read Type from custom action data");
+
         hr = WcaReadIntegerFromCaData(&wz, &iTodo);
         ExitOnFailure(hr, "Failed to read todo from custom action data");
 
@@ -219,35 +253,50 @@ extern "C" UINT __stdcall ExecHttpSniSslCerts(
 
         if (fRemove)
         {
-            hr = RemoveSniSslCert(sczId, sczHost, iPort);
+            if (ctSniSsl == certificateType)
+            {
+                hr = RemoveSniSslCert(sczId, sczHost, iPort);
+            }
+            else
+            {
+                hr = RemoveIpSslCert(sczId, iPort);
+            }
+
             if (S_OK == hr)
             {
-                WcaLog(LOGMSG_STANDARD, "Removed SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                WcaLog(LOGMSG_STANDARD, "Removed SSL certificate '%ls' for hostname: %ls:%d.", sczId, sczHost, iPort);
             }
             else if (FAILED(hr))
             {
                 if (fRollback)
                 {
-                    WcaLogError(hr, "Failed to remove SNI SSL certificate to rollback '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                    WcaLogError(hr, "Failed to remove SSL certificate to rollback '%ls' for hostname: %ls:%d.", sczId, sczHost, iPort);
                 }
                 else
                 {
-                    ExitOnFailure(hr, "Failed to remove SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                    ExitOnFailure(hr, "Failed to remove SSL certificate '%ls' for hostname: %ls:%d.", sczId, sczHost, iPort);
                 }
             }
         }
 
         if (fAdd)
         {
-            WcaLog(LOGMSG_STANDARD, "Adding SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+            WcaLog(LOGMSG_STANDARD, "Adding SSL certificate '%ls' for hostname: %ls:%d.", sczId, sczHost, iPort);
 
             hr = StrAllocHexDecode(sczCertificateThumbprint, &pbCertificateThumbprint, &cbCertificateThumbprint);
-            ExitOnFailure(hr, "Failed to convert thumbprint to bytes for SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+            ExitOnFailure(hr, "Failed to convert thumbprint to bytes for SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
 
             hr = ::IIDFromString(sczAppId, &guidAppId);
-            ExitOnFailure(hr, "Failed to convert AppId '%ls' back to GUID for SNI SSL certificate '%ls' for hostname: %ls:%d", sczAppId, sczId, sczHost, iPort);
+            ExitOnFailure(hr, "Failed to convert AppId '%ls' back to GUID for SSL certificate '%ls' for hostname: %ls:%d", sczAppId, sczId, sczHost, iPort);
+            if (ctSniSsl == certificateType)
+            {
+                hr = AddSniSslCert(sczId, sczHost, iPort, pbCertificateThumbprint, cbCertificateThumbprint, &guidAppId, sczCertificateStore && *sczCertificateStore ? sczCertificateStore : L"MY");
+            }
+            else
+            {
+                hr = AddIpSslCert(sczId, iPort, pbCertificateThumbprint, cbCertificateThumbprint, &guidAppId, sczCertificateStore && *sczCertificateStore ? sczCertificateStore : L"MY");
+            }
 
-            hr = AddSniSslCert(sczId, sczHost, iPort, pbCertificateThumbprint, cbCertificateThumbprint, &guidAppId, sczCertificateStore && *sczCertificateStore ? sczCertificateStore : L"MY");
             if (S_FALSE == hr && fFailOnExisting)
             {
                 hr = HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS);
@@ -255,17 +304,17 @@ extern "C" UINT __stdcall ExecHttpSniSslCerts(
 
             if (S_OK == hr)
             {
-                WcaLog(LOGMSG_STANDARD, "Added SNI SSL certificate '%ls' for hostname: %ls:%d with thumbprint: %ls", sczId, sczHost, iPort, sczCertificateThumbprint);
+                WcaLog(LOGMSG_STANDARD, "Added SSL certificate '%ls' for hostname: %ls:%d with thumbprint: %ls.", sczId, sczHost, iPort, sczCertificateThumbprint);
             }
             else if (FAILED(hr))
             {
                 if (fRollback)
                 {
-                    WcaLogError(hr, "Failed to add SNI SSL certificate to rollback '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                    WcaLogError(hr, "Failed to add SSL certificate to rollback '%ls' for hostname: %ls:%d.", sczId, sczHost, iPort);
                 }
                 else
                 {
-                    ExitOnFailure(hr, "Failed to add SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                    ExitOnFailure(hr, "Failed to add SSL certificate '%ls' for hostname: %ls:%d.", sczId, sczHost, iPort);
                 }
             }
 
@@ -290,7 +339,7 @@ LExit:
     return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
 }
 
-static UINT SchedHttpSniSslCerts(
+static UINT SchedHttpCertificates(
     __in WCA_TODO todoSched
 )
 {
@@ -309,6 +358,7 @@ static UINT SchedHttpSniSslCerts(
 
     LPWSTR sczId = NULL;
     LPWSTR sczComponent = NULL;
+    eCertificateType certificateType = ctSniSsl;
     WCA_TODO todoComponent = WCA_TODO_UNKNOWN;
     LPWSTR sczHost = NULL;
     int iPort = 0;
@@ -318,19 +368,20 @@ static UINT SchedHttpSniSslCerts(
     int iHandleExisting = 0;
 
     HTTP_SERVICE_CONFIG_SSL_SNI_SET* pExistingSniSslSet = NULL;
+    HTTP_SERVICE_CONFIG_SSL_SET* pExistingIpSslSet = NULL;
 
     // Anything to do?
-    hr = WcaTableExists(L"Wix4HttpSniSslCert");
-    ExitOnFailure(hr, "Failed to check if the Wix4HttpSniSslCert table exists");
+    hr = WcaTableExists(L"Wix6HttpCertificate");
+    ExitOnFailure(hr, "Failed to check if the Wix6HttpCertificate table exists");
     if (S_FALSE == hr)
     {
-        WcaLog(LOGMSG_STANDARD, "Wix4HttpSniSslCert table doesn't exist, so there are no URL reservations to configure");
+        WcaLog(LOGMSG_STANDARD, "Wix6HttpCertificate table doesn't exist, so there are no certificates to configure.");
         ExitFunction();
     }
 
     // Query and loop through all the SNI SSL certificates.
-    hr = WcaOpenExecuteView(vcsWixHttpSniSslCertQuery, &hView);
-    ExitOnFailure(hr, "Failed to open view on the Wix4HttpSniSslCert table");
+    hr = WcaOpenExecuteView(vcsHttpCertificatesQuery, &hView);
+    ExitOnFailure(hr, "Failed to open view on the Wix6HttpCertificate table");
 
     hr = HRESULT_FROM_WIN32(::HttpInitialize(HTTPAPI_VERSION_1, HTTP_INITIALIZE_CONFIG, NULL));
     ExitOnFailure(hr, "Failed to initialize HTTP Server configuration");
@@ -339,70 +390,92 @@ static UINT SchedHttpSniSslCerts(
 
     while (S_OK == (hr = WcaFetchRecord(hView, &hRec)))
     {
-        hr = WcaGetRecordString(hRec, hurqId, &sczId);
-        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.Wix4HttpSniSslCert");
+        hr = WcaGetRecordString(hRec, hcqId, &sczId);
+        ExitOnFailure(hr, "Failed to get Wix6HttpCertificate.Wix6HttpCertificate");
 
-        hr = WcaGetRecordString(hRec, hurqComponent, &sczComponent);
-        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.Component_");
+        hr = WcaGetRecordString(hRec, hcqComponent, &sczComponent);
+        ExitOnFailure(hr, "Failed to get Wix6HttpCertificate.Component_");
 
-        // Figure out what we're doing for this reservation, treating reinstall the same as install.
+        // Figure out what we're doing for this certificate, treating reinstall the same as install.
         todoComponent = WcaGetComponentToDo(sczComponent);
         if ((WCA_TODO_REINSTALL == todoComponent ? WCA_TODO_INSTALL : todoComponent) != todoSched)
         {
-            WcaLog(LOGMSG_STANDARD, "Component '%ls' action state (%d) doesn't match request (%d) for Wix4HttpSniSslCert '%ls'", sczComponent, todoComponent, todoSched, sczId);
+            WcaLog(LOGMSG_VERBOSE, "Component '%ls' action state (%d) doesn't match request (%d) for Wix6HttpCertificate '%ls'.", sczComponent, todoComponent, todoSched, sczId);
             continue;
         }
 
-        hr = WcaGetRecordFormattedString(hRec, hurqHost, &sczHost);
-        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.Host");
+        hr = WcaGetRecordInteger(hRec, hcqType, reinterpret_cast<int*>(&certificateType));
+        ExitOnFailure(hr, "Failed to get Type for Wix6HttpCertificate '%ls'", sczId);
 
-        hr = WcaGetRecordFormattedInteger(hRec, hurqPort, &iPort);
-        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.Port");
+        hr = WcaGetRecordFormattedString(hRec, hcqHost, &sczHost);
+        ExitOnFailure(hr, "Failed to get Wix6HttpCertificate.Host");
 
-        hr = WcaGetRecordFormattedString(hRec, hurqCertificateThumbprint, &sczCertificateThumbprint);
-        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.CertificateThumbprint");
+        hr = WcaGetRecordFormattedInteger(hRec, hcqPort, &iPort);
+        ExitOnFailure(hr, "Failed to get Wix6HttpCertificate.Port");
 
-        if (!sczHost || !*sczHost)
-        {
-            hr = E_INVALIDARG;
-            ExitOnFailure(hr, "Require a Host value for Wix4HttpSniSslCert '%ls'", sczId);
-        }
+        hr = WcaGetRecordFormattedString(hRec, hcqCertificateThumbprint, &sczCertificateThumbprint);
+        ExitOnFailure(hr, "Failed to get Wix6HttpCertificate.CertificateThumbprint");
 
         if (!iPort)
         {
             hr = E_INVALIDARG;
-            ExitOnFailure(hr, "Require a Port value for Wix4HttpSniSslCert '%ls'", sczId);
+            ExitOnFailure(hr, "Missing Port value for Wix6HttpCertificate '%ls'", sczId);
         }
 
         if (!sczCertificateThumbprint || !*sczCertificateThumbprint)
         {
             hr = E_INVALIDARG;
-            ExitOnFailure(hr, "Require a CertificateThumbprint value for Wix4HttpSniSslCert '%ls'", sczId);
+            ExitOnFailure(hr, "Missing CertificateThumbprint value for Wix6HttpCertificate '%ls'", sczId);
         }
 
-        hr = WcaGetRecordFormattedString(hRec, hurqAppId, &sczAppId);
-        ExitOnFailure(hr, "Failed to get AppId for Wix4HttpSniSslCert '%ls'", sczId);
+        hr = WcaGetRecordFormattedString(hRec, hcqAppId, &sczAppId);
+        ExitOnFailure(hr, "Failed to get AppId for Wix6HttpCertificate '%ls'", sczId);
 
-        hr = WcaGetRecordFormattedString(hRec, hurqCertificateStore, &sczCertificateStore);
-        ExitOnFailure(hr, "Failed to get CertificateStore for Wix4HttpSniSslCert '%ls'", sczId);
+        hr = WcaGetRecordFormattedString(hRec, hcqCertificateStore, &sczCertificateStore);
+        ExitOnFailure(hr, "Failed to get CertificateStore for Wix6HttpCertificate '%ls'", sczId);
 
-        hr = WcaGetRecordInteger(hRec, hurqHandleExisting, &iHandleExisting);
-        ExitOnFailure(hr, "Failed to get HandleExisting for Wix4HttpSniSslCert '%ls'", sczId);
+        hr = WcaGetRecordInteger(hRec, hcqHandleExisting, &iHandleExisting);
+        ExitOnFailure(hr, "Failed to get HandleExisting for Wix6HttpCertificate '%ls'", sczId);
 
-        hr = GetSniSslCert(sczHost, iPort, &pExistingSniSslSet);
-        ExitOnFailure(hr, "Failed to get the existing SNI SSL certificate for Wix4HttpSniSslCert '%ls'", sczId);
+        if (ctIpSsl == certificateType)
+        {
+            WcaLog(LOGMSG_STANDARD, "Processing IP SSL certificate: %ls on port %d.", sczId, iPort);
+
+            hr = FindExistingIpSslCertificate(iPort, &pExistingIpSslSet);
+            ExitOnFailure(hr, "Failed to search for an existing IP SSL certificate for '%ls' on port %d", sczId, iPort);
 
-        hr = EnsureAppId(&sczAppId, pExistingSniSslSet);
-        ExitOnFailure(hr, "Failed to ensure AppId for Wix4HttpSniSslCert '%ls'", sczId);
+            if (S_FALSE != hr)
+            {
+                hr = WriteIpSslCertCustomActionData(todoComponent, sczId, iPort, iHandleExisting, pExistingIpSslSet, &sczRollbackCustomActionData);
+                ExitOnFailure(hr, "Failed to write rollback custom action data for IP SSL '%ls' on port %d", sczId, iPort);
+            }
 
-        hr = WriteExistingSniSslCert(todoComponent, sczId, sczHost, iPort, iHandleExisting, pExistingSniSslSet, &sczRollbackCustomActionData);
-        ExitOnFailure(hr, "Failed to write rollback custom action data for Wix4HttpSniSslCert '%ls'", sczId);
+            hr = EnsureAppId(&sczAppId, pExistingIpSslSet ? &(pExistingIpSslSet->ParamDesc.AppId) : NULL);
+            ExitOnFailure(hr, "Failed to ensure AppId for IP SSL '%ls'", sczId);
+        }
+        else if (ctSniSsl == certificateType)
+        {
+            WcaLog(LOGMSG_STANDARD, "Processing SNI SSL certificate: %ls on host %ls:%d.", sczId, sczHost, iPort);
 
-        hr = WriteSniSslCert(todoComponent, sczId, sczHost, iPort, iHandleExisting, sczCertificateThumbprint, sczAppId, sczCertificateStore, &sczCustomActionData);
-        ExitOnFailure(hr, "Failed to write custom action data for Wix4HttpSniSslCert '%ls'", sczId);
+            hr = FindExistingSniSslCertificate(sczHost, iPort, &pExistingSniSslSet);
+            ExitOnFailure(hr, "Failed to search for an existing SNI SSL certificate for '%ls' on host '%ls', port %d", sczId, sczHost, iPort);
+
+            if (S_FALSE != hr)
+            {
+                hr = WriteSniSslCertCustomActionData(todoComponent, sczId, sczHost, iPort, iHandleExisting, pExistingSniSslSet, &sczRollbackCustomActionData);
+                ExitOnFailure(hr, "Failed to write rollback custom action data for SNI SSL Wix6HttpCertificate '%ls' on host '%ls', port %d", sczId, sczHost, iPort);
+            }
+
+            hr = EnsureAppId(&sczAppId, pExistingSniSslSet ? &(pExistingSniSslSet->ParamDesc.AppId) : NULL);
+            ExitOnFailure(hr, "Failed to ensure AppId for SNI SSL '%ls'", sczId);
+        }
+
+        hr = WriteCertificateCaData(certificateType, todoComponent, sczId, sczHost, iPort, iHandleExisting, sczCertificateThumbprint, sczAppId, sczCertificateStore, &sczCustomActionData);
+        ExitOnFailure(hr, "Failed to write custom action data for SSL '%ls'", sczId);
         ++cCertificates;
 
         ReleaseNullMem(pExistingSniSslSet);
+        ReleaseNullMem(pExistingIpSslSet);
     }
 
     // Reaching the end of the list is not an error.
@@ -410,36 +483,39 @@ static UINT SchedHttpSniSslCerts(
     {
         hr = S_OK;
     }
-    ExitOnFailure(hr, "Failure occurred while processing Wix4HttpSniSslCert table");
+    ExitOnFailure(hr, "Failure occurred while processing Wix6HttpCertificate table");
+
+    WcaLog(LOGMSG_VERBOSE, "Scheduling %d certificates", cCertificates);
 
     // Schedule ExecHttpSniSslCerts if there's anything to do.
     if (cCertificates)
     {
-        WcaLog(LOGMSG_STANDARD, "Scheduling SNI SSL certificate (%ls)", sczCustomActionData);
-        WcaLog(LOGMSG_STANDARD, "Scheduling rollback SNI SSL certificate (%ls)", sczRollbackCustomActionData);
+        WcaLog(LOGMSG_TRACEONLY, "Scheduling SSL certificate: `%ls`", sczCustomActionData);
+        WcaLog(LOGMSG_TRACEONLY, "Scheduling rollback SSL certificate: `%ls`", sczRollbackCustomActionData);
 
         if (WCA_TODO_INSTALL == todoSched)
         {
-            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"RollbackHttpSniSslCertsInstall"), sczRollbackCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
-            ExitOnFailure(hr, "Failed to schedule install SNI SSL certificate rollback");
-            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"ExecHttpSniSslCertsInstall"), sczCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
-            ExitOnFailure(hr, "Failed to schedule install SNI SSL certificate execution");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION6(L"RollbackHttpCertificatesInstall"), sczRollbackCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule install SSL certificate rollback");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION6(L"ExecHttpCertificatesInstall"), sczCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule install SSL certificate execution");
         }
         else
         {
-            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"RollbackHttpSniSslCertsUninstall"), sczRollbackCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
-            ExitOnFailure(hr, "Failed to schedule uninstall SNI SSL certificate rollback");
-            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"ExecHttpSniSslCertsUninstall"), sczCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
-            ExitOnFailure(hr, "Failed to schedule uninstall SNI SSL certificate execution");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION6(L"RollbackHttpCertificatesUninstall"), sczRollbackCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule uninstall SSL certificate rollback");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION6(L"ExecHttpCertificatesUninstall"), sczCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule uninstall SSL certificate execution");
         }
     }
     else
     {
-        WcaLog(LOGMSG_STANDARD, "No SNI SSL certificates scheduled");
+        WcaLog(LOGMSG_STANDARD, "No SNI SSL certificates scheduled.");
     }
 
 LExit:
     ReleaseMem(pExistingSniSslSet);
+    ReleaseMem(pExistingIpSslSet);
     ReleaseStr(sczCertificateStore);
     ReleaseStr(sczAppId);
     ReleaseStr(sczCertificateThumbprint);
@@ -457,133 +533,171 @@ LExit:
     return WcaFinalize(er = FAILED(hr) ? ERROR_INSTALL_FAILURE : er);
 }
 
-static HRESULT WriteExistingSniSslCert(
-    __in WCA_TODO action,
-    __in_z LPCWSTR wzId,
-    __in_z LPCWSTR wzHost,
-    __in int iPort,
-    __in int iHandleExisting,
-    __in HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSniSslSet,
-    __inout_z LPWSTR* psczCustomActionData
+static HRESULT FindExistingSniSslCertificate(
+    __in_z LPWSTR wzHost,
+    __in int nPort,
+    __out HTTP_SERVICE_CONFIG_SSL_SNI_SET** ppSet
 )
 {
     HRESULT hr = S_OK;
-    LPWSTR sczCertificateThumbprint = NULL;
-    LPWSTR sczAppId = NULL;
-    LPCWSTR wzCertificateStore = NULL;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_SSL_SNI_QUERY query = { };
+    HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSet = NULL;
+    ULONG cbSet = 0;
 
-    if (pSniSslSet)
-    {
-        hr = StrAllocHexEncode(reinterpret_cast<BYTE*>(pSniSslSet->ParamDesc.pSslHash), pSniSslSet->ParamDesc.SslHashLength, &sczCertificateThumbprint);
-        ExitOnFailure(hr, "Failed to convert existing certificate thumbprint to hex for Wix4HttpSniSslCert '%ls'", wzId);
+    *ppSet = NULL;
 
-        hr = StringFromGuid(pSniSslSet->ParamDesc.AppId, &sczAppId);
-        ExitOnFailure(hr, "Failed to copy existing AppId for Wix4HttpSniSslCert '%ls'", wzId);
+    query.QueryDesc = HttpServiceConfigQueryExact;
+    SetSniSslCertificateKeyPort(&query.KeyDesc, wzHost, nPort);
 
-        wzCertificateStore = pSniSslSet->ParamDesc.pSslCertStoreName;
+    WcaLog(LOGMSG_TRACEONLY, "Querying for SNI SSL certificate on port %d...", nPort);
+
+    er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
+    if (ERROR_INSUFFICIENT_BUFFER == er)
+    {
+        pSet = reinterpret_cast<HTTP_SERVICE_CONFIG_SSL_SNI_SET*>(MemAlloc(cbSet, TRUE));
+        ExitOnNull(pSet, hr, E_OUTOFMEMORY, "Failed to allocate query SN SSL certificate buffer");
+
+        er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
     }
 
-    hr = WriteSniSslCert(action, wzId, wzHost, iPort, iHandleExisting, sczCertificateThumbprint ? sczCertificateThumbprint : L"", sczAppId ? sczAppId : L"", wzCertificateStore ? wzCertificateStore : L"", psczCustomActionData);
-    ExitOnFailure(hr, "Failed to write custom action data for Wix4HttpSniSslCert '%ls'", wzId);
+    if (ERROR_SUCCESS == er)
+    {
+        *ppSet = pSet;
+        pSet = NULL;
+    }
+    else if (ERROR_FILE_NOT_FOUND == er || ERROR_NO_MORE_ITEMS == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
 
 LExit:
-    ReleaseStr(sczAppId);
-    ReleaseStr(sczCertificateThumbprint);
+    ReleaseMem(pSet);
 
     return hr;
 }
 
-static HRESULT WriteSniSslCert(
-    __in WCA_TODO action,
-    __in_z LPCWSTR wzId,
-    __in_z LPCWSTR wzHost,
-    __in int iPort,
-    __in int iHandleExisting,
-    __in_z LPCWSTR wzCertificateThumbprint,
-    __in_z LPCWSTR wzAppId,
-    __in_z_opt LPCWSTR wzCertificateStore,
-    __inout_z LPWSTR* psczCustomActionData
+static HRESULT FindExistingIpSslCertificate(
+    __in int nPort,
+    __out HTTP_SERVICE_CONFIG_SSL_SET** ppSet
 )
 {
     HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_SSL_QUERY query = { };
+    SOCKADDR_IN sin = { };
+    HTTP_SERVICE_CONFIG_SSL_SET* pSet = NULL;
+    ULONG cbSet = 0;
 
-    hr = WcaWriteIntegerToCaData(action, psczCustomActionData);
-    ExitOnFailure(hr, "Failed to write action to custom action data");
-
-    hr = WcaWriteStringToCaData(wzId, psczCustomActionData);
-    ExitOnFailure(hr, "Failed to write id to custom action data");
+    *ppSet = NULL;
 
-    hr = WcaWriteStringToCaData(wzHost, psczCustomActionData);
-    ExitOnFailure(hr, "Failed to write Host to custom action data");
+    query.QueryDesc = HttpServiceConfigQueryNext;
 
-    hr = WcaWriteIntegerToCaData(iPort, psczCustomActionData);
-    ExitOnFailure(hr, "Failed to write Port to custom action data");
+    SetIpSslCertificateKeyPort(&query.KeyDesc, &sin, nPort);
 
-    hr = WcaWriteIntegerToCaData(iHandleExisting, psczCustomActionData);
-    ExitOnFailure(hr, "Failed to write HandleExisting to custom action data");
+    WcaLog(LOGMSG_TRACEONLY, "Querying for IP SSL certificate on port %d...", nPort);
 
-    hr = WcaWriteStringToCaData(wzCertificateThumbprint, psczCustomActionData);
-    ExitOnFailure(hr, "Failed to write CertificateThumbprint to custom action data");
+    er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSSLCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
+    if (ERROR_INSUFFICIENT_BUFFER == er)
+    {
+        pSet = reinterpret_cast<HTTP_SERVICE_CONFIG_SSL_SET*>(MemAlloc(cbSet, TRUE));
+        ExitOnNull(pSet, hr, E_OUTOFMEMORY, "Failed to allocate query IP SSL certificate buffer");
 
-    hr = WcaWriteStringToCaData(wzAppId, psczCustomActionData);
-    ExitOnFailure(hr, "Failed to write AppId to custom action data");
+        er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSSLCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
+    }
 
-    hr = WcaWriteStringToCaData(wzCertificateStore ? wzCertificateStore : L"", psczCustomActionData);
-    ExitOnFailure(hr, "Failed to write CertificateStore to custom action data");
+    if (ERROR_SUCCESS == er)
+    {
+        *ppSet = pSet;
+        pSet = NULL;
+    }
+    else if (ERROR_FILE_NOT_FOUND == er || ERROR_NO_MORE_ITEMS == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
 
 LExit:
+    ReleaseMem(pSet);
+
     return hr;
 }
 
-static HRESULT EnsureAppId(
-    __inout_z LPWSTR* psczAppId,
-    __in_opt HTTP_SERVICE_CONFIG_SSL_SNI_SET* pExistingSniSslSet
+static HRESULT WriteSniSslCertCustomActionData(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSniSslSet,
+    __inout_z LPWSTR* psczCustomActionData
 )
 {
     HRESULT hr = S_OK;
-    RPC_STATUS rs = RPC_S_OK;
-    GUID guid = { };
+    LPWSTR sczCertificateThumbprint = NULL;
+    LPWSTR sczAppId = NULL;
+    LPCWSTR wzCertificateStore = NULL;
 
-    if (!psczAppId || !*psczAppId || !**psczAppId)
+    if (pSniSslSet)
     {
-        if (pExistingSniSslSet)
-        {
-            hr = StringFromGuid(pExistingSniSslSet->ParamDesc.AppId, psczAppId);
-            ExitOnFailure(hr, "Failed to ensure AppId guid");
-        }
-        else
-        {
-            rs = ::UuidCreate(&guid);
-            hr = HRESULT_FROM_RPC(rs);
-            ExitOnRootFailure(hr, "Failed to create guid for AppId");
+        hr = StrAllocHexEncode(reinterpret_cast<BYTE*>(pSniSslSet->ParamDesc.pSslHash), pSniSslSet->ParamDesc.SslHashLength, &sczCertificateThumbprint);
+        ExitOnFailure(hr, "Failed to convert existing certificate thumbprint to hex for Wix6HttpCertificate '%ls'", wzId);
 
-            hr = StringFromGuid(guid, psczAppId);
-            ExitOnFailure(hr, "Failed to ensure AppId guid");
-        }
+        hr = StringFromGuid(pSniSslSet->ParamDesc.AppId, &sczAppId);
+        ExitOnFailure(hr, "Failed to copy existing AppId for Wix6HttpCertificate '%ls'", wzId);
+
+        wzCertificateStore = pSniSslSet->ParamDesc.pSslCertStoreName;
     }
 
+    hr = WriteCertificateCaData(ctSniSsl, action, wzId, wzHost, iPort, iHandleExisting, sczCertificateThumbprint ? sczCertificateThumbprint : L"", sczAppId ? sczAppId : L"", wzCertificateStore ? wzCertificateStore : L"", psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write custom action data for Wix6HttpCertificate '%ls'", wzId);
+
 LExit:
+    ReleaseStr(sczAppId);
+    ReleaseStr(sczCertificateThumbprint);
+
     return hr;
 }
 
-static HRESULT StringFromGuid(
-    __in REFGUID rguid,
-    __inout_z LPWSTR* psczGuid
+static HRESULT WriteIpSslCertCustomActionData(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in HTTP_SERVICE_CONFIG_SSL_SET* pSslSet,
+    __inout_z LPWSTR* psczCustomActionData
 )
 {
     HRESULT hr = S_OK;
-    WCHAR wzGuid[39];
+    LPWSTR sczCertificateThumbprint = NULL;
+    LPWSTR sczAppId = NULL;
+    LPCWSTR wzCertificateStore = NULL;
 
-    if (!::StringFromGUID2(rguid, wzGuid, countof(wzGuid)))
+    if (pSslSet)
     {
-        hr = E_OUTOFMEMORY;
-        ExitOnRootFailure(hr, "Failed to convert guid into string");
+        hr = StrAllocHexEncode(reinterpret_cast<BYTE*>(pSslSet->ParamDesc.pSslHash), pSslSet->ParamDesc.SslHashLength, &sczCertificateThumbprint);
+        ExitOnFailure(hr, "Failed to convert existing IP SSL certificate thumbprint to hex for Wix6HttpCertificate '%ls'", wzId);
+
+        hr = StringFromGuid(pSslSet->ParamDesc.AppId, &sczAppId);
+        ExitOnFailure(hr, "Failed to copy existing IP SSL AppId for Wix6HttpCertificate '%ls'", wzId);
+
+        wzCertificateStore = pSslSet->ParamDesc.pSslCertStoreName;
     }
 
-    hr = StrAllocString(psczGuid, wzGuid, 0);
-    ExitOnFailure(hr, "Failed to copy guid");
+    hr = WriteCertificateCaData(ctIpSsl, action, wzId, /*wzHost*/NULL, iPort, iHandleExisting, sczCertificateThumbprint ? sczCertificateThumbprint : L"", sczAppId ? sczAppId : L"", wzCertificateStore ? wzCertificateStore : L"", psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write custom action data for IP SSL Wix6HttpCertificate '%ls'", wzId);
 
 LExit:
+    ReleaseStr(sczAppId);
+    ReleaseStr(sczCertificateThumbprint);
+
     return hr;
 }
 
@@ -601,7 +715,7 @@ static HRESULT AddSniSslCert(
     DWORD er = ERROR_SUCCESS;
     HTTP_SERVICE_CONFIG_SSL_SNI_SET set = { };
 
-    SetSniSslCertSetKey(&set.KeyDesc, wzHost, iPort);
+    SetSniSslCertificateKeyPort(&set.KeyDesc, wzHost, iPort);
     set.ParamDesc.SslHashLength = cbCertificateThumbprint;
     set.ParamDesc.pSslHash = rgbCertificateThumbprint;
     set.ParamDesc.AppId = *pAppId;
@@ -620,38 +734,28 @@ static HRESULT AddSniSslCert(
     return hr;
 }
 
-static HRESULT GetSniSslCert(
-    __in_z LPWSTR wzHost,
-    __in int nPort,
-    __out HTTP_SERVICE_CONFIG_SSL_SNI_SET** ppSet
+static HRESULT AddIpSslCert(
+    __in_z LPCWSTR /*wzId*/,
+    __in int iPort,
+    __in BYTE rgbCertificateThumbprint[],
+    __in DWORD cbCertificateThumbprint,
+    __in GUID* pAppId,
+    __in_z LPWSTR wzSslCertStore
 )
 {
     HRESULT hr = S_OK;
     DWORD er = ERROR_SUCCESS;
-    HTTP_SERVICE_CONFIG_SSL_SNI_QUERY query = { };
-    HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSet = NULL;
-    ULONG cbSet = 0;
-
-    *ppSet = NULL;
-
-    query.QueryDesc = HttpServiceConfigQueryExact;
-    SetSniSslCertSetKey(&query.KeyDesc, wzHost, nPort);
-
-    er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
-    if (ERROR_INSUFFICIENT_BUFFER == er)
-    {
-        pSet = reinterpret_cast<HTTP_SERVICE_CONFIG_SSL_SNI_SET*>(MemAlloc(cbSet, TRUE));
-        ExitOnNull(pSet, hr, E_OUTOFMEMORY, "Failed to allocate query SN SSL certificate buffer");
+    HTTP_SERVICE_CONFIG_SSL_SET set = { };
+    SOCKADDR_IN sin = { };
 
-        er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
-    }
+    SetIpSslCertificateKeyPort(&set.KeyDesc, &sin, iPort);
+    set.ParamDesc.SslHashLength = cbCertificateThumbprint;
+    set.ParamDesc.pSslHash = rgbCertificateThumbprint;
+    set.ParamDesc.AppId = *pAppId;
+    set.ParamDesc.pSslCertStoreName = wzSslCertStore;
 
-    if (ERROR_SUCCESS == er)
-    {
-        *ppSet = pSet;
-        pSet = NULL;
-    }
-    else if (ERROR_FILE_NOT_FOUND == er)
+    er = ::HttpSetServiceConfiguration(NULL, HttpServiceConfigSSLCertInfo, &set, sizeof(set), NULL);
+    if (ERROR_ALREADY_EXISTS == er)
     {
         hr = S_FALSE;
     }
@@ -660,14 +764,11 @@ static HRESULT GetSniSslCert(
         hr = HRESULT_FROM_WIN32(er);
     }
 
-LExit:
-    ReleaseMem(pSet);
-
     return hr;
 }
 
 static HRESULT RemoveSniSslCert(
-    __in_z LPCWSTR /*wzId*/,
+    __in_z_opt LPCWSTR /*wzId*/,
     __in_z LPWSTR wzHost,
     __in int iPort
 )
@@ -676,10 +777,35 @@ static HRESULT RemoveSniSslCert(
     DWORD er = ERROR_SUCCESS;
     HTTP_SERVICE_CONFIG_SSL_SNI_SET set = { };
 
-    SetSniSslCertSetKey(&set.KeyDesc, wzHost, iPort);
+    SetSniSslCertificateKeyPort(&set.KeyDesc, wzHost, iPort);
 
     er = ::HttpDeleteServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &set, sizeof(set), NULL);
-    if (ERROR_FILE_NOT_FOUND == er)
+    if (ERROR_FILE_NOT_FOUND == er || ERROR_NO_MORE_ITEMS == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+
+    return hr;
+}
+
+static HRESULT RemoveIpSslCert(
+    __in_z_opt LPCWSTR /*wzId*/,
+    __in int iPort
+)
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_SSL_SET set = { };
+    SOCKADDR_IN sin = { };
+
+    SetIpSslCertificateKeyPort(&set.KeyDesc, &sin, iPort);
+
+    er = ::HttpDeleteServiceConfiguration(NULL, HttpServiceConfigSSLCertInfo, &set, sizeof(set), NULL);
+    if (ERROR_FILE_NOT_FOUND == er || ERROR_NO_MORE_ITEMS == er)
     {
         hr = S_FALSE;
     }
@@ -691,7 +817,7 @@ static HRESULT RemoveSniSslCert(
     return hr;
 }
 
-static void SetSniSslCertSetKey(
+static void SetSniSslCertificateKeyPort(
     __in HTTP_SERVICE_CONFIG_SSL_SNI_KEY* pKey,
     __in_z LPWSTR wzHost,
     __in int iPort
@@ -702,3 +828,111 @@ static void SetSniSslCertSetKey(
     pss->sin_family = AF_INET;
     pss->sin_port = htons(static_cast<USHORT>(iPort));
 }
+
+static void SetIpSslCertificateKeyPort(
+    __in HTTP_SERVICE_CONFIG_SSL_KEY* pKey,
+    __in SOCKADDR_IN* pSin,
+    __in int iPort
+)
+{
+    pSin->sin_family = AF_INET;
+    pSin->sin_port = htons(static_cast<USHORT>(iPort));
+    pKey->pIpPort = reinterpret_cast<PSOCKADDR>(pSin);
+}
+
+static HRESULT EnsureAppId(
+    __inout_z LPWSTR* psczAppId,
+    __in_opt GUID* pGuid
+)
+{
+    HRESULT hr = S_OK;
+    GUID guid = { };
+
+    if (!psczAppId || !*psczAppId || !**psczAppId)
+    {
+        if (pGuid)
+        {
+            hr = StringFromGuid(*pGuid, psczAppId);
+            ExitOnFailure(hr, "Failed to ensure AppId guid");
+        }
+        else
+        {
+            hr = HRESULT_FROM_RPC(::UuidCreate(&guid));
+            ExitOnRootFailure(hr, "Failed to create guid for AppId");
+
+            hr = StringFromGuid(guid, psczAppId);
+            ExitOnFailure(hr, "Failed to ensure AppId guid");
+        }
+    }
+
+LExit:
+    return hr;
+}
+
+static HRESULT StringFromGuid(
+    __in REFGUID rguid,
+    __inout_z LPWSTR* psczGuid
+)
+{
+    HRESULT hr = S_OK;
+    WCHAR wzGuid[39];
+
+    if (!::StringFromGUID2(rguid, wzGuid, countof(wzGuid)))
+    {
+        hr = E_OUTOFMEMORY;
+        ExitOnRootFailure(hr, "Failed to convert guid into string");
+    }
+
+    hr = StrAllocString(psczGuid, wzGuid, 0);
+    ExitOnFailure(hr, "Failed to copy guid");
+
+LExit:
+    return hr;
+}
+
+static HRESULT WriteCertificateCaData(
+    __in eCertificateType certType,
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z_opt LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in_z LPCWSTR wzCertificateThumbprint,
+    __in_z_opt LPCWSTR wzAppId,
+    __in_z_opt LPCWSTR wzCertificateStore,
+    __inout_z LPWSTR* psczCustomActionData
+)
+{
+    HRESULT hr = S_OK;
+
+    hr = WcaWriteIntegerToCaData(certType, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write IP SSL certificate type to custom action data");
+
+    hr = WcaWriteIntegerToCaData(action, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write action to custom action data");
+
+    hr = WcaWriteStringToCaData(wzId, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write id to custom action data");
+
+    hr = WcaWriteStringToCaData(wzHost ? wzHost : L"", psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write Host to custom action data");
+
+    hr = WcaWriteIntegerToCaData(iPort, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write Port to custom action data");
+
+    hr = WcaWriteIntegerToCaData(iHandleExisting, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write HandleExisting to custom action data");
+
+    hr = WcaWriteStringToCaData(wzCertificateThumbprint, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write CertificateThumbprint to custom action data");
+
+    hr = WcaWriteStringToCaData(wzAppId ? wzAppId : L"", psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write AppId to custom action data");
+
+    hr = WcaWriteStringToCaData(wzCertificateStore ? wzCertificateStore : L"", psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write CertificateStore to custom action data");
+
+LExit:
+    return hr;
+}
+
diff --git a/src/ext/Http/ca/precomp.h b/src/ext/Http/ca/precomp.h
index 42287cb2..bbd79ccf 100644
--- a/src/ext/Http/ca/precomp.h
+++ b/src/ext/Http/ca/precomp.h
@@ -23,3 +23,9 @@ enum eHandleExisting
     heIgnore = 1,
     heFail = 2
 };
+
+enum eCertificateType
+{
+    ctSniSsl = 0,
+    ctIpSsl = 1,
+};
diff --git a/src/ext/Http/ca/wixhttpca.def b/src/ext/Http/ca/wixhttpca.def
index 281c5631..244bd987 100644
--- a/src/ext/Http/ca/wixhttpca.def
+++ b/src/ext/Http/ca/wixhttpca.def
@@ -7,6 +7,6 @@ EXPORTS
         SchedHttpUrlReservationsInstall
         SchedHttpUrlReservationsUninstall
         ExecHttpUrlReservations
-        SchedHttpSniSslCertsInstall
-        SchedHttpSniSslCertsUninstall
-        ExecHttpSniSslCerts
+        SchedHttpCertificatesInstall
+        SchedHttpCertificatesUninstall
+        ExecHttpCertificates