Add support for configuring SNI SSL certificates

18 files changed, 1063 insertions, 15 deletions

diff --git a/src/ca/cost.h b/src/ca/cost.h
index 283758b0..9677e7e8 100644
--- a/src/ca/cost.h
+++ b/src/ca/cost.h
@@ -3,3 +3,4 @@
 
 
 const UINT COST_HTTP_URL_ACL = 2000;
+const UINT COST_HTTP_SNI_SSL = 2000;
diff --git a/src/ca/httpca.vcxproj b/src/ca/httpca.vcxproj
index 9abe7598..fde00ff4 100644
--- a/src/ca/httpca.vcxproj
+++ b/src/ca/httpca.vcxproj
@@ -3,7 +3,7 @@
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <Import Project="..\..\packages\WixToolset.DUtil.4.0.56\build\WixToolset.DUtil.props" Condition="Exists('..\..\packages\WixToolset.DUtil.4.0.56\build\WixToolset.DUtil.props')" />
   <Import Project="..\..\packages\WixToolset.WcaUtil.4.0.17\build\WixToolset.WcaUtil.props" Condition="Exists('..\..\packages\WixToolset.WcaUtil.4.0.17\build\WixToolset.WcaUtil.props')" />
-  
+
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -13,7 +13,7 @@
       <Configuration>Release</Configuration>
       <Platform>Win32</Platform>
     </ProjectConfiguration>
-      <ProjectConfiguration Include="Debug|x64">
+    <ProjectConfiguration Include="Debug|x64">
       <Configuration>Debug</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
@@ -30,7 +30,7 @@
       <Platform>ARM64</Platform>
     </ProjectConfiguration>
   </ItemGroup>
-  
+
   <PropertyGroup Label="Globals">
     <ProjectGuid>{90743805-C043-47C7-B5FF-8F5EE5C8A2DE}</ProjectGuid>
     <ConfigurationType>DynamicLibrary</ConfigurationType>
@@ -40,27 +40,28 @@
     <ProjectModuleDefinitionFile>wixhttpca.def</ProjectModuleDefinitionFile>
     <Description>WiX Toolset Http CustomAction</Description>
   </PropertyGroup>
-  
+
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-  
+
   <PropertyGroup>
-    <ProjectAdditionalLinkLibraries>crypt32.lib;httpapi.lib;msi.lib</ProjectAdditionalLinkLibraries>
+    <ProjectAdditionalLinkLibraries>crypt32.lib;httpapi.lib;msi.lib;rpcrt4.lib;ws2_32.lib</ProjectAdditionalLinkLibraries>
   </PropertyGroup>
-  
+
   <ItemGroup>
     <ClCompile Include="dllmain.cpp">
       <PrecompiledHeader>Create</PrecompiledHeader>
     </ClCompile>
+    <ClCompile Include="snisslcert.cpp" />
     <ClCompile Include="wixhttpca.cpp" />
     <ClInclude Include="cost.h" />
     <ClInclude Include="precomp.h" />
     <None Include="packages.config" />
     <None Include="wixhttpca.def" />
   </ItemGroup>
-  
+
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  
+
   <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
     <PropertyGroup>
       <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
@@ -68,4 +69,4 @@
     <Error Condition="!Exists('..\..\packages\WixToolset.DUtil.4.0.56\build\WixToolset.DUtil.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\packages\WixToolset.DUtil.4.0.56\build\WixToolset.DUtil.props'))" />
     <Error Condition="!Exists('..\..\packages\WixToolset.WcaUtil.4.0.17\build\WixToolset.WcaUtil.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\packages\WixToolset.WcaUtil.4.0.17\build\WixToolset.WcaUtil.props'))" />
   </Target>
-</Project>
\ No newline at end of file
+</Project>
diff --git a/src/ca/httpca.vcxproj.filters b/src/ca/httpca.vcxproj.filters
index 979b9ef3..2ccd604d 100644
--- a/src/ca/httpca.vcxproj.filters
+++ b/src/ca/httpca.vcxproj.filters
@@ -21,6 +21,9 @@
     <ClCompile Include="dllmain.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="snisslcert.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="precomp.h">
diff --git a/src/ca/precomp.h b/src/ca/precomp.h
index d5143dac..c78d78c1 100644
--- a/src/ca/precomp.h
+++ b/src/ca/precomp.h
@@ -16,3 +16,10 @@
 #include "cost.h"
 
 #include "caDecor.h"
+
+enum eHandleExisting
+{
+    heReplace = 0,
+    heIgnore = 1,
+    heFail = 2
+};
diff --git a/src/ca/snisslcert.cpp b/src/ca/snisslcert.cpp
new file mode 100644
index 00000000..466ef0b9
--- /dev/null
+++ b/src/ca/snisslcert.cpp
@@ -0,0 +1,704 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+#include "precomp.h"
+
+#if _WIN32_WINNT < 0x0602
+
+typedef struct _HTTP_SERVICE_CONFIG_SSL_SNI_KEY
+{
+    SOCKADDR_STORAGE IpPort;
+    PWSTR Host;
+} HTTP_SERVICE_CONFIG_SSL_SNI_KEY, * PHTTP_SERVICE_CONFIG_SSL_SNI_KEY;
+
+typedef struct _HTTP_SERVICE_CONFIG_SSL_SNI_SET
+{
+    HTTP_SERVICE_CONFIG_SSL_SNI_KEY KeyDesc;
+    HTTP_SERVICE_CONFIG_SSL_PARAM   ParamDesc;
+} HTTP_SERVICE_CONFIG_SSL_SNI_SET, * PHTTP_SERVICE_CONFIG_SSL_SNI_SET;
+
+typedef struct _HTTP_SERVICE_CONFIG_SSL_SNI_QUERY
+{
+    HTTP_SERVICE_CONFIG_QUERY_TYPE  QueryDesc;
+    HTTP_SERVICE_CONFIG_SSL_SNI_KEY KeyDesc;
+    DWORD                           dwToken;
+} HTTP_SERVICE_CONFIG_SSL_SNI_QUERY, * PHTTP_SERVICE_CONFIG_SSL_SNI_QUERY;
+
+#define HttpServiceConfigSslSniCertInfo static_cast<HTTP_SERVICE_CONFIG_ID>(HttpServiceConfigCache + 1)
+
+#endif
+
+static UINT SchedHttpSniSslCerts(
+    __in WCA_TODO todoSched
+);
+static HRESULT WriteExistingSniSslCert(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSniSslSet,
+    __inout_z LPWSTR* psczCustomActionData
+);
+static HRESULT WriteSniSslCert(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in_z LPCWSTR wzCertificateThumbprint,
+    __in_z LPCWSTR wzAppId,
+    __in_z_opt LPCWSTR wzCertificateStore,
+    __inout_z LPWSTR* psczCustomActionData
+);
+static HRESULT EnsureAppId(
+    __inout_z LPWSTR* psczAppId,
+    __in_opt HTTP_SERVICE_CONFIG_SSL_SNI_SET* pExistingSniSslSet
+);
+static HRESULT StringFromGuid(
+    __in REFGUID rguid,
+    __inout_z LPWSTR* psczGuid
+);
+static HRESULT AddSniSslCert(
+    __in_z LPCWSTR wzId,
+    __in_z LPWSTR wzHost,
+    __in int iPort,
+    __in BYTE rgbCertificateThumbprint[],
+    __in DWORD cbCertificateThumbprint,
+    __in GUID* pAppId,
+    __in_z LPWSTR wzSslCertStore
+);
+static HRESULT GetSniSslCert(
+    __in_z LPWSTR wzHost,
+    __in int nPort,
+    __out HTTP_SERVICE_CONFIG_SSL_SNI_SET** ppSet
+);
+static HRESULT RemoveSniSslCert(
+    __in_z LPCWSTR wzId,
+    __in_z LPWSTR wzHost,
+    __in int iPort
+);
+static void SetSniSslCertSetKey(
+    __in HTTP_SERVICE_CONFIG_SSL_SNI_KEY* pKey,
+    __in_z LPWSTR wzHost,
+    __in int iPort
+);
+
+
+LPCWSTR vcsWixHttpSniSslCertQuery =
+L"SELECT `WixHttpSniSslCert`.`WixHttpSniSslCert`, `WixHttpSniSslCert`.`Host`, `WixHttpSniSslCert`.`Port`, `WixHttpSniSslCert`.`Thumbprint`, `WixHttpSniSslCert`.`AppId`, `WixHttpSniSslCert`.`Store`, `WixHttpSniSslCert`.`HandleExisting`, `WixHttpSniSslCert`.`Component_` "
+L"FROM `WixHttpSniSslCert`";
+enum eWixHttpSniSslCertQuery { hurqId = 1, hurqHost, hurqPort, hurqCertificateThumbprint, hurqAppId, hurqCertificateStore, hurqHandleExisting, hurqComponent };
+
+/******************************************************************
+ SchedWixHttpSniSslCertsInstall - immediate custom action entry
+   point to prepare adding URL reservations.
+
+********************************************************************/
+extern "C" UINT __stdcall SchedHttpSniSslCertsInstall(
+    __in MSIHANDLE hInstall
+)
+{
+    HRESULT hr = S_OK;
+
+    hr = WcaInitialize(hInstall, "SchedHttpSniSslCertsInstall");
+    ExitOnFailure(hr, "Failed to initialize");
+
+    hr = SchedHttpSniSslCerts(WCA_TODO_INSTALL);
+
+LExit:
+    return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
+}
+
+/******************************************************************
+ SchedWixHttpSniSslCertsUninstall - immediate custom action entry
+   point to prepare removing URL reservations.
+
+********************************************************************/
+extern "C" UINT __stdcall SchedHttpSniSslCertsUninstall(
+    __in MSIHANDLE hInstall
+)
+{
+    HRESULT hr = S_OK;
+
+    hr = WcaInitialize(hInstall, "SchedHttpSniSslCertsUninstall");
+    ExitOnFailure(hr, "Failed to initialize");
+
+    hr = SchedHttpSniSslCerts(WCA_TODO_UNINSTALL);
+
+LExit:
+    return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
+}
+
+/******************************************************************
+ ExecHttpSniSslCerts - deferred custom action entry point to
+   register and remove URL reservations.
+
+********************************************************************/
+extern "C" UINT __stdcall ExecHttpSniSslCerts(
+    __in MSIHANDLE hInstall
+)
+{
+    HRESULT hr = S_OK;
+    BOOL fHttpInitialized = FALSE;
+    LPWSTR sczCustomActionData = NULL;
+    LPWSTR wz = NULL;
+    int iTodo = WCA_TODO_UNKNOWN;
+    LPWSTR sczId = NULL;
+    LPWSTR sczHost = NULL;
+    int iPort = 0;
+    eHandleExisting handleExisting = heIgnore;
+    LPWSTR sczCertificateThumbprint = NULL;
+    LPWSTR sczAppId = NULL;
+    LPWSTR sczCertificateStore = NULL;
+
+    BOOL fRollback = ::MsiGetMode(hInstall, MSIRUNMODE_ROLLBACK);
+    BOOL fRemove = FALSE;
+    BOOL fAdd = FALSE;
+    BOOL fFailOnExisting = FALSE;
+
+    GUID guidAppId = { };
+    BYTE* pbCertificateThumbprint = NULL;
+    DWORD cbCertificateThumbprint = 0;
+
+    // Initialize.
+    hr = WcaInitialize(hInstall, "ExecHttpSniSslCerts");
+    ExitOnFailure(hr, "Failed to initialize");
+
+    hr = HRESULT_FROM_WIN32(::HttpInitialize(HTTPAPI_VERSION_1, HTTP_INITIALIZE_CONFIG, NULL));
+    ExitOnFailure(hr, "Failed to initialize HTTP Server configuration");
+
+    fHttpInitialized = TRUE;
+
+    hr = WcaGetProperty(L"CustomActionData", &sczCustomActionData);
+    ExitOnFailure(hr, "Failed to get CustomActionData");
+    WcaLog(LOGMSG_TRACEONLY, "CustomActionData: %ls", sczCustomActionData);
+
+    wz = sczCustomActionData;
+    while (wz && *wz)
+    {
+        // Extract the custom action data and if rolling back, swap INSTALL and UNINSTALL.
+        hr = WcaReadIntegerFromCaData(&wz, &iTodo);
+        ExitOnFailure(hr, "Failed to read todo from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczId);
+        ExitOnFailure(hr, "Failed to read Id from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczHost);
+        ExitOnFailure(hr, "Failed to read Host from custom action data");
+
+        hr = WcaReadIntegerFromCaData(&wz, &iPort);
+        ExitOnFailure(hr, "Failed to read Port from custom action data");
+
+        hr = WcaReadIntegerFromCaData(&wz, reinterpret_cast<int*>(&handleExisting));
+        ExitOnFailure(hr, "Failed to read HandleExisting from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczCertificateThumbprint);
+        ExitOnFailure(hr, "Failed to read CertificateThumbprint from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczAppId);
+        ExitOnFailure(hr, "Failed to read AppId from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczCertificateStore);
+        ExitOnFailure(hr, "Failed to read CertificateStore from custom action data");
+
+        switch (iTodo)
+        {
+        case WCA_TODO_INSTALL:
+        case WCA_TODO_REINSTALL:
+            fRemove = heReplace == handleExisting || fRollback;
+            fAdd = !fRollback || *sczCertificateThumbprint;
+            fFailOnExisting = heFail == handleExisting && !fRollback;
+            break;
+
+        case WCA_TODO_UNINSTALL:
+            fRemove = !fRollback;
+            fAdd = fRollback && *sczCertificateThumbprint;
+            fFailOnExisting = FALSE;
+            break;
+        }
+
+        if (fRemove)
+        {
+            hr = RemoveSniSslCert(sczId, sczHost, iPort);
+            if (S_OK == hr)
+            {
+                WcaLog(LOGMSG_STANDARD, "Removed SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+            }
+            else if (FAILED(hr))
+            {
+                if (fRollback)
+                {
+                    WcaLogError(hr, "Failed to remove SNI SSL certificate to rollback '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                }
+                else
+                {
+                    ExitOnFailure(hr, "Failed to remove SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                }
+            }
+        }
+
+        if (fAdd)
+        {
+            WcaLog(LOGMSG_STANDARD, "Adding SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+
+            hr = StrAllocHexDecode(sczCertificateThumbprint, &pbCertificateThumbprint, &cbCertificateThumbprint);
+            ExitOnFailure(hr, "Failed to convert thumbprint to bytes for SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+
+            hr = ::IIDFromString(sczAppId, &guidAppId);
+            ExitOnFailure(hr, "Failed to convert AppId '%ls' back to GUID for SNI SSL certificate '%ls' for hostname: %ls:%d", sczAppId, sczId, sczHost, iPort);
+
+            hr = AddSniSslCert(sczId, sczHost, iPort, pbCertificateThumbprint, cbCertificateThumbprint, &guidAppId, sczCertificateStore && *sczCertificateStore ? sczCertificateStore : L"MY");
+            if (S_FALSE == hr && fFailOnExisting)
+            {
+                hr = HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS);
+            }
+
+            if (S_OK == hr)
+            {
+                WcaLog(LOGMSG_STANDARD, "Added SNI SSL certificate '%ls' for hostname: %ls:%d with thumbprint: %ls", sczId, sczHost, iPort, sczCertificateThumbprint);
+            }
+            else if (FAILED(hr))
+            {
+                if (fRollback)
+                {
+                    WcaLogError(hr, "Failed to add SNI SSL certificate to rollback '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                }
+                else
+                {
+                    ExitOnFailure(hr, "Failed to add SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                }
+            }
+
+            ReleaseNullMem(pbCertificateThumbprint);
+        }
+    }
+
+LExit:
+    ReleaseMem(pbCertificateThumbprint);
+    ReleaseStr(sczCertificateStore);
+    ReleaseStr(sczAppId);
+    ReleaseStr(sczCertificateThumbprint);
+    ReleaseStr(sczHost);
+    ReleaseStr(sczId);
+    ReleaseStr(sczCustomActionData);
+
+    if (fHttpInitialized)
+    {
+        ::HttpTerminate(HTTP_INITIALIZE_CONFIG, NULL);
+    }
+
+    return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
+}
+
+static UINT SchedHttpSniSslCerts(
+    __in WCA_TODO todoSched
+)
+{
+    HRESULT hr = S_OK;
+    UINT er = ERROR_SUCCESS;
+    BOOL fHttpInitialized = FALSE;
+    DWORD cCertificates = 0;
+
+    PMSIHANDLE hView = NULL;
+    PMSIHANDLE hRec = NULL;
+    PMSIHANDLE hQueryReq = NULL;
+    PMSIHANDLE hAceView = NULL;
+
+    LPWSTR sczCustomActionData = NULL;
+    LPWSTR sczRollbackCustomActionData = NULL;
+
+    LPWSTR sczId = NULL;
+    LPWSTR sczComponent = NULL;
+    WCA_TODO todoComponent = WCA_TODO_UNKNOWN;
+    LPWSTR sczHost = NULL;
+    int iPort = 0;
+    LPWSTR sczCertificateThumbprint = NULL;
+    LPWSTR sczAppId = NULL;
+    LPWSTR sczCertificateStore = NULL;
+    int iHandleExisting = 0;
+
+    HTTP_SERVICE_CONFIG_SSL_SNI_SET* pExistingSniSslSet = NULL;
+
+    // Anything to do?
+    hr = WcaTableExists(L"WixHttpSniSslCert");
+    ExitOnFailure(hr, "Failed to check if the WixHttpSniSslCert table exists");
+    if (S_FALSE == hr)
+    {
+        WcaLog(LOGMSG_STANDARD, "WixHttpSniSslCert table doesn't exist, so there are no URL reservations to configure");
+        ExitFunction();
+    }
+
+    // Query and loop through all the SNI SSL certificates.
+    hr = WcaOpenExecuteView(vcsWixHttpSniSslCertQuery, &hView);
+    ExitOnFailure(hr, "Failed to open view on the WixHttpSniSslCert table");
+
+    hr = HRESULT_FROM_WIN32(::HttpInitialize(HTTPAPI_VERSION_1, HTTP_INITIALIZE_CONFIG, NULL));
+    ExitOnFailure(hr, "Failed to initialize HTTP Server configuration");
+
+    fHttpInitialized = TRUE;
+
+    while (S_OK == (hr = WcaFetchRecord(hView, &hRec)))
+    {
+        hr = WcaGetRecordString(hRec, hurqId, &sczId);
+        ExitOnFailure(hr, "Failed to get WixHttpSniSslCert.WixHttpSniSslCert");
+
+        hr = WcaGetRecordString(hRec, hurqComponent, &sczComponent);
+        ExitOnFailure(hr, "Failed to get WixHttpSniSslCert.Component_");
+
+        // Figure out what we're doing for this reservation, treating reinstall the same as install.
+        todoComponent = WcaGetComponentToDo(sczComponent);
+        if ((WCA_TODO_REINSTALL == todoComponent ? WCA_TODO_INSTALL : todoComponent) != todoSched)
+        {
+            WcaLog(LOGMSG_STANDARD, "Component '%ls' action state (%d) doesn't match request (%d) for WixHttpSniSslCert '%ls'", sczComponent, todoComponent, todoSched, sczId);
+            continue;
+        }
+
+        hr = WcaGetRecordFormattedString(hRec, hurqHost, &sczHost);
+        ExitOnFailure(hr, "Failed to get WixHttpSniSslCert.Host");
+
+        hr = WcaGetRecordFormattedInteger(hRec, hurqPort, &iPort);
+        ExitOnFailure(hr, "Failed to get WixHttpSniSslCert.Port");
+
+        hr = WcaGetRecordFormattedString(hRec, hurqCertificateThumbprint, &sczCertificateThumbprint);
+        ExitOnFailure(hr, "Failed to get WixHttpSniSslCert.CertificateThumbprint");
+
+        if (!sczHost || !*sczHost)
+        {
+            hr = E_INVALIDARG;
+            ExitOnFailure(hr, "Require a Host value for WixHttpSniSslCert '%ls'", sczId);
+        }
+
+        if (!iPort)
+        {
+            hr = E_INVALIDARG;
+            ExitOnFailure(hr, "Require a Port value for WixHttpSniSslCert '%ls'", sczId);
+        }
+
+        if (!sczCertificateThumbprint || !*sczCertificateThumbprint)
+        {
+            hr = E_INVALIDARG;
+            ExitOnFailure(hr, "Require a CertificateThumbprint value for WixHttpSniSslCert '%ls'", sczId);
+        }
+
+        hr = WcaGetRecordFormattedString(hRec, hurqAppId, &sczAppId);
+        ExitOnFailure(hr, "Failed to get AppId for WixHttpSniSslCert '%ls'", sczId);
+
+        hr = WcaGetRecordFormattedString(hRec, hurqCertificateStore, &sczCertificateStore);
+        ExitOnFailure(hr, "Failed to get CertificateStore for WixHttpSniSslCert '%ls'", sczId);
+
+        hr = WcaGetRecordInteger(hRec, hurqHandleExisting, &iHandleExisting);
+        ExitOnFailure(hr, "Failed to get HandleExisting for WixHttpSniSslCert '%ls'", sczId);
+
+        hr = GetSniSslCert(sczHost, iPort, &pExistingSniSslSet);
+        ExitOnFailure(hr, "Failed to get the existing SNI SSL certificate for WixHttpSniSslCert '%ls'", sczId);
+
+        hr = EnsureAppId(&sczAppId, pExistingSniSslSet);
+        ExitOnFailure(hr, "Failed to ensure AppId for WixHttpSniSslCert '%ls'", sczId);
+
+        hr = WriteExistingSniSslCert(todoComponent, sczId, sczHost, iPort, iHandleExisting, pExistingSniSslSet, &sczRollbackCustomActionData);
+        ExitOnFailure(hr, "Failed to write rollback custom action data for WixHttpSniSslCert '%ls'", sczId);
+
+        hr = WriteSniSslCert(todoComponent, sczId, sczHost, iPort, iHandleExisting, sczCertificateThumbprint, sczAppId, sczCertificateStore, &sczCustomActionData);
+        ExitOnFailure(hr, "Failed to write custom action data for WixHttpSniSslCert '%ls'", sczId);
+        ++cCertificates;
+
+        ReleaseNullMem(pExistingSniSslSet);
+    }
+
+    // Reaching the end of the list is not an error.
+    if (E_NOMOREITEMS == hr)
+    {
+        hr = S_OK;
+    }
+    ExitOnFailure(hr, "Failure occurred while processing WixHttpSniSslCert table");
+
+    // Schedule ExecHttpSniSslCerts if there's anything to do.
+    if (cCertificates)
+    {
+        WcaLog(LOGMSG_STANDARD, "Scheduling SNI SSL certificate (%ls)", sczCustomActionData);
+        WcaLog(LOGMSG_STANDARD, "Scheduling rollback SNI SSL certificate (%ls)", sczRollbackCustomActionData);
+
+        if (WCA_TODO_INSTALL == todoSched)
+        {
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixRollbackHttpSniSslCertsInstall"), sczRollbackCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule install SNI SSL certificate rollback");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixExecHttpSniSslCertsInstall"), sczCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule install SNI SSL certificate execution");
+        }
+        else
+        {
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixRollbackHttpSniSslCertsUninstall"), sczRollbackCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule uninstall SNI SSL certificate rollback");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixExecHttpSniSslCertsUninstall"), sczCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule uninstall SNI SSL certificate execution");
+        }
+    }
+    else
+    {
+        WcaLog(LOGMSG_STANDARD, "No SNI SSL certificates scheduled");
+    }
+
+LExit:
+    ReleaseMem(pExistingSniSslSet);
+    ReleaseStr(sczCertificateStore);
+    ReleaseStr(sczAppId);
+    ReleaseStr(sczCertificateThumbprint);
+    ReleaseStr(sczHost);
+    ReleaseStr(sczComponent);
+    ReleaseStr(sczId);
+    ReleaseStr(sczRollbackCustomActionData);
+    ReleaseStr(sczCustomActionData);
+
+    if (fHttpInitialized)
+    {
+        ::HttpTerminate(HTTP_INITIALIZE_CONFIG, NULL);
+    }
+
+    return WcaFinalize(er = FAILED(hr) ? ERROR_INSTALL_FAILURE : er);
+}
+
+static HRESULT WriteExistingSniSslCert(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSniSslSet,
+    __inout_z LPWSTR* psczCustomActionData
+)
+{
+    HRESULT hr = S_OK;
+    LPWSTR sczCertificateThumbprint = NULL;
+    LPWSTR sczAppId = NULL;
+    LPCWSTR wzCertificateStore = NULL;
+
+    if (pSniSslSet)
+    {
+        hr = StrAllocHexEncode(reinterpret_cast<BYTE*>(pSniSslSet->ParamDesc.pSslHash), pSniSslSet->ParamDesc.SslHashLength, &sczCertificateThumbprint);
+        ExitOnFailure(hr, "Failed to convert existing certificate thumbprint to hex for WixHttpSniSslCert '%ls'", wzId);
+
+        hr = StringFromGuid(pSniSslSet->ParamDesc.AppId, &sczAppId);
+        ExitOnFailure(hr, "Failed to copy existing AppId for WixHttpSniSslCert '%ls'", wzId);
+
+        wzCertificateStore = pSniSslSet->ParamDesc.pSslCertStoreName;
+    }
+
+    hr = WriteSniSslCert(action, wzId, wzHost, iPort, iHandleExisting, sczCertificateThumbprint ? sczCertificateThumbprint : L"", sczAppId ? sczAppId : L"", wzCertificateStore ? wzCertificateStore : L"", psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write custom action data for WixHttpSniSslCert '%ls'", wzId);
+
+LExit:
+    ReleaseStr(sczAppId);
+    ReleaseStr(sczCertificateThumbprint);
+
+    return hr;
+}
+
+static HRESULT WriteSniSslCert(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in_z LPCWSTR wzCertificateThumbprint,
+    __in_z LPCWSTR wzAppId,
+    __in_z_opt LPCWSTR wzCertificateStore,
+    __inout_z LPWSTR* psczCustomActionData
+)
+{
+    HRESULT hr = S_OK;
+
+    hr = WcaWriteIntegerToCaData(action, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write action to custom action data");
+
+    hr = WcaWriteStringToCaData(wzId, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write id to custom action data");
+
+    hr = WcaWriteStringToCaData(wzHost, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write Host to custom action data");
+
+    hr = WcaWriteIntegerToCaData(iPort, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write Port to custom action data");
+
+    hr = WcaWriteIntegerToCaData(iHandleExisting, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write HandleExisting to custom action data");
+
+    hr = WcaWriteStringToCaData(wzCertificateThumbprint, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write CertificateThumbprint to custom action data");
+
+    hr = WcaWriteStringToCaData(wzAppId, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write AppId to custom action data");
+
+    hr = WcaWriteStringToCaData(wzCertificateStore ? wzCertificateStore : L"", psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write CertificateStore to custom action data");
+
+LExit:
+    return hr;
+}
+
+static HRESULT EnsureAppId(
+    __inout_z LPWSTR* psczAppId,
+    __in_opt HTTP_SERVICE_CONFIG_SSL_SNI_SET* pExistingSniSslSet
+)
+{
+    HRESULT hr = S_OK;
+    RPC_STATUS rs = RPC_S_OK;
+    GUID guid = { };
+
+    if (!psczAppId || !*psczAppId || !**psczAppId)
+    {
+        if (pExistingSniSslSet)
+        {
+            hr = StringFromGuid(pExistingSniSslSet->ParamDesc.AppId, psczAppId);
+            ExitOnFailure(hr, "Failed to ensure AppId guid");
+        }
+        else
+        {
+            rs = ::UuidCreate(&guid);
+            hr = HRESULT_FROM_RPC(rs);
+            ExitOnRootFailure(hr, "Failed to create guid for AppId");
+
+            hr = StringFromGuid(guid, psczAppId);
+            ExitOnFailure(hr, "Failed to ensure AppId guid");
+        }
+    }
+
+LExit:
+    return hr;
+}
+
+static HRESULT StringFromGuid(
+    __in REFGUID rguid,
+    __inout_z LPWSTR* psczGuid
+)
+{
+    HRESULT hr = S_OK;
+    WCHAR wzGuid[39];
+
+    if (!::StringFromGUID2(rguid, wzGuid, countof(wzGuid)))
+    {
+        hr = E_OUTOFMEMORY;
+        ExitOnRootFailure(hr, "Failed to convert guid into string");
+    }
+
+    hr = StrAllocString(psczGuid, wzGuid, 0);
+    ExitOnFailure(hr, "Failed to copy guid");
+
+LExit:
+    return hr;
+}
+
+static HRESULT AddSniSslCert(
+    __in_z LPCWSTR /*wzId*/,
+    __in_z LPWSTR wzHost,
+    __in int iPort,
+    __in BYTE rgbCertificateThumbprint[],
+    __in DWORD cbCertificateThumbprint,
+    __in GUID* pAppId,
+    __in_z LPWSTR wzSslCertStore
+)
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_SSL_SNI_SET set = { };
+
+    SetSniSslCertSetKey(&set.KeyDesc, wzHost, iPort);
+    set.ParamDesc.SslHashLength = cbCertificateThumbprint;
+    set.ParamDesc.pSslHash = rgbCertificateThumbprint;
+    set.ParamDesc.AppId = *pAppId;
+    set.ParamDesc.pSslCertStoreName = wzSslCertStore;
+
+    er = ::HttpSetServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &set, sizeof(set), NULL);
+    if (ERROR_ALREADY_EXISTS == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+
+    return hr;
+}
+
+static HRESULT GetSniSslCert(
+    __in_z LPWSTR wzHost,
+    __in int nPort,
+    __out HTTP_SERVICE_CONFIG_SSL_SNI_SET** ppSet
+)
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_SSL_SNI_QUERY query = { };
+    HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSet = NULL;
+    ULONG cbSet = 0;
+
+    *ppSet = NULL;
+
+    query.QueryDesc = HttpServiceConfigQueryExact;
+    SetSniSslCertSetKey(&query.KeyDesc, wzHost, nPort);
+
+    er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
+    if (ERROR_INSUFFICIENT_BUFFER == er)
+    {
+        pSet = reinterpret_cast<HTTP_SERVICE_CONFIG_SSL_SNI_SET*>(MemAlloc(cbSet, TRUE));
+        ExitOnNull(pSet, hr, E_OUTOFMEMORY, "Failed to allocate query SN SSL certificate buffer");
+
+        er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
+    }
+
+    if (ERROR_SUCCESS == er)
+    {
+        *ppSet = pSet;
+        pSet = NULL;
+    }
+    else if (ERROR_FILE_NOT_FOUND == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+
+LExit:
+    ReleaseMem(pSet);
+
+    return hr;
+}
+
+static HRESULT RemoveSniSslCert(
+    __in_z LPCWSTR /*wzId*/,
+    __in_z LPWSTR wzHost,
+    __in int iPort
+)
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_SSL_SNI_SET set = { };
+
+    SetSniSslCertSetKey(&set.KeyDesc, wzHost, iPort);
+
+    er = ::HttpDeleteServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &set, sizeof(set), NULL);
+    if (ERROR_FILE_NOT_FOUND == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+
+    return hr;
+}
+
+static void SetSniSslCertSetKey(
+    __in HTTP_SERVICE_CONFIG_SSL_SNI_KEY* pKey,
+    __in_z LPWSTR wzHost,
+    __in int iPort
+)
+{
+    pKey->Host = wzHost;
+    SOCKADDR_IN* pss = reinterpret_cast<SOCKADDR_IN*>(&pKey->IpPort);
+    pss->sin_family = AF_INET;
+    pss->sin_port = htons(static_cast<USHORT>(iPort));
+}
diff --git a/src/ca/wixhttpca.cpp b/src/ca/wixhttpca.cpp
index 3c091192..0355f718 100644
--- a/src/ca/wixhttpca.cpp
+++ b/src/ca/wixhttpca.cpp
@@ -40,8 +40,6 @@ LPCWSTR vcsHttpUrlAceQuery =
     L"WHERE `WixHttpUrlAce`.`WixHttpUrlReservation_`=?";
 enum eHttpUrlAceQuery { huaqSecurityPrincipal = 1, huaqRights };
 
-enum eHandleExisting { heReplace = 0, heIgnore = 1, heFail = 2 };
-
 /******************************************************************
  SchedHttpUrlReservations - immediate custom action worker to 
    prepare configuring URL reservations.
@@ -348,6 +346,11 @@ extern "C" UINT __stdcall ExecHttpUrlReservations(
     ExitOnFailure(hr, "Failed to get CustomActionData.");
     WcaLog(LOGMSG_TRACEONLY, "CustomActionData: %ls", sczCustomActionData);
 
+    if (!sczCustomActionData || !*sczCustomActionData)
+    {
+        WcaLog(LOGMSG_STANDARD, "No URL reservations to be executed.");
+    }
+
     wz = sczCustomActionData;
     while (wz && *wz)
     {
@@ -388,7 +391,7 @@ extern "C" UINT __stdcall ExecHttpUrlReservations(
             {
                 if (fRollback)
                 {
-                    WcaLogError(hr, "Failed to remove reservation for URL '%ls'", sczUrl);
+                    WcaLogError(hr, "Failed to remove reservation for rollback for URL '%ls'", sczUrl);
                 }
                 else
                 {
@@ -396,6 +399,7 @@ extern "C" UINT __stdcall ExecHttpUrlReservations(
                 }
             }
         }
+
         if (fAdd)
         {
             WcaLog(LOGMSG_STANDARD, "Adding reservation for URL '%ls' with SDDL '%ls'", sczUrl, sczSDDL);
@@ -408,7 +412,7 @@ extern "C" UINT __stdcall ExecHttpUrlReservations(
             {
                 if (fRollback)
                 {
-                    WcaLogError(hr, "Failed to add reservation for URL '%ls' with SDDL '%ls'", sczUrl, sczSDDL);
+                    WcaLogError(hr, "Failed to add reservation for rollback for URL '%ls' with SDDL '%ls'", sczUrl, sczSDDL);
                 }
                 else
                 {
diff --git a/src/ca/wixhttpca.def b/src/ca/wixhttpca.def
index f7e3e004..281c5631 100644
--- a/src/ca/wixhttpca.def
+++ b/src/ca/wixhttpca.def
@@ -7,3 +7,6 @@ EXPORTS
         SchedHttpUrlReservationsInstall
         SchedHttpUrlReservationsUninstall
         ExecHttpUrlReservations
+        SchedHttpSniSslCertsInstall
+        SchedHttpSniSslCertsUninstall
+        ExecHttpSniSslCerts
diff --git a/src/test/WixToolsetTest.Http/HttpExtensionFixture.cs b/src/test/WixToolsetTest.Http/HttpExtensionFixture.cs
index d1a1f565..1d350bdf 100644
--- a/src/test/WixToolsetTest.Http/HttpExtensionFixture.cs
+++ b/src/test/WixToolsetTest.Http/HttpExtensionFixture.cs
@@ -10,6 +10,25 @@ namespace WixToolsetTest.Http
     public class HttpExtensionFixture
     {
         [Fact]
+        public void CanBuildUsingSniSssl()
+        {
+            var folder = TestData.Get("TestData", "SniSsl");
+            var build = new Builder(folder, typeof(HttpExtensionFactory), new[] { folder });
+
+            var results = build.BuildAndQuery(Build, "CustomAction", "WixHttpSniSslCert");
+            WixAssert.CompareLineByLine(new[]
+            {
+                "CustomAction:Wix4ExecHttpSniSslCertsInstall_X86\t3073\tWix4HttpCA_X86\tExecHttpSniSslCerts\t",
+                "CustomAction:Wix4ExecHttpSniSslCertsUninstall_X86\t3073\tWix4HttpCA_X86\tExecHttpSniSslCerts\t",
+                "CustomAction:Wix4RollbackHttpSniSslCertsInstall_X86\t3329\tWix4HttpCA_X86\tExecHttpSniSslCerts\t",
+                "CustomAction:Wix4RollbackHttpSniSslCertsUninstall_X86\t3329\tWix4HttpCA_X86\tExecHttpSniSslCerts\t",
+                "CustomAction:Wix4SchedHttpSniSslCertsInstall_X86\t1\tWix4HttpCA_X86\tSchedHttpSniSslCertsInstall\t",
+                "CustomAction:Wix4SchedHttpSniSslCertsUninstall_X86\t1\tWix4HttpCA_X86\tSchedHttpSniSslCertsUninstall\t",
+                "WixHttpSniSslCert:sslC9YX6_H7UL_WGBx4DoDGI.Sj.D0\texample.com\t8080\t[SOME_THUMBPRINT]\t\t\t2\tfilF5_pLhBuF5b4N9XEo52g_hUM5Lo",
+            }, results);
+        }
+
+        [Fact]
         public void CanBuildUsingUrlReservation()
         {
             var folder = TestData.Get(@"TestData\UsingUrlReservation");
diff --git a/src/test/WixToolsetTest.Http/TestData/SniSsl/Package.en-us.wxl b/src/test/WixToolsetTest.Http/TestData/SniSsl/Package.en-us.wxl
new file mode 100644
index 00000000..38c12ac1
--- /dev/null
+++ b/src/test/WixToolsetTest.Http/TestData/SniSsl/Package.en-us.wxl
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+This file contains the declaration of all the localizable strings.
+-->
+<WixLocalization xmlns="http://wixtoolset.org/schemas/v4/wxl" Culture="en-US">
+
+  <String Id="DowngradeError">A newer version of [ProductName] is already installed.</String>
+  <String Id="FeatureTitle">MsiPackage</String>
+
+</WixLocalization>
diff --git a/src/test/WixToolsetTest.Http/TestData/SniSsl/Package.wxs b/src/test/WixToolsetTest.Http/TestData/SniSsl/Package.wxs
new file mode 100644
index 00000000..c85e9bba
--- /dev/null
+++ b/src/test/WixToolsetTest.Http/TestData/SniSsl/Package.wxs
@@ -0,0 +1,15 @@
+<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs">
+  <Package Name="MsiPackage" Version="1.0.0.0" Manufacturer="Example Corporation" UpgradeCode="047730a5-30fe-4a62-a520-da9381b8226a">
+    <MajorUpgrade DowngradeErrorMessage="!(loc.DowngradeError)" />
+
+    <Feature Id="ProductFeature" Title="!(loc.FeatureTitle)">
+      <ComponentGroupRef Id="ProductComponents" />
+    </Feature>
+  </Package>
+
+  <Fragment>
+    <StandardDirectory Id="ProgramFilesFolder">
+      <Directory Id="INSTALLFOLDER" Name="MsiPackage" />
+    </StandardDirectory>
+  </Fragment>
+</Wix>
diff --git a/src/test/WixToolsetTest.Http/TestData/SniSsl/PackageComponents.wxs b/src/test/WixToolsetTest.Http/TestData/SniSsl/PackageComponents.wxs
new file mode 100644
index 00000000..f0aae485
--- /dev/null
+++ b/src/test/WixToolsetTest.Http/TestData/SniSsl/PackageComponents.wxs
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs"
+     xmlns:http="http://wixtoolset.org/schemas/v4/wxs/http">
+  <Fragment>
+    <ComponentGroup Id="ProductComponents" Directory="INSTALLFOLDER">
+        <Component>
+            <File Source="example.txt" />
+            <http:SniSslCertificate Host="example.com" Port="8080" Thumbprint="[SOME_THUMBPRINT]" HandleExisting="fail" />
+        </Component>
+    </ComponentGroup>
+  </Fragment>
+</Wix>
diff --git a/src/test/WixToolsetTest.Http/TestData/SniSsl/example.txt b/src/test/WixToolsetTest.Http/TestData/SniSsl/example.txt
new file mode 100644
index 00000000..1b4ffe8a
--- /dev/null
+++ b/src/test/WixToolsetTest.Http/TestData/SniSsl/example.txt
@@ -0,0 +1 @@
+This is example.txt.
\ No newline at end of file
diff --git a/src/wixext/HttpCompiler.cs b/src/wixext/HttpCompiler.cs
index cb217147..6c572470 100644
--- a/src/wixext/HttpCompiler.cs
+++ b/src/wixext/HttpCompiler.cs
@@ -48,6 +48,10 @@ namespace WixToolset.Http
 
                     switch (element.Name.LocalName)
                     {
+                        case "SniSslCertificate":
+                            this.ParseSniSslCertificateElement(intermediate, section, element, componentId);
+                            break;
+
                         case "UrlReservation":
                             this.ParseUrlReservationElement(intermediate, section, element, componentId, null);
                             break;
@@ -63,6 +67,119 @@ namespace WixToolset.Http
         }
 
         /// <summary>
+        /// Parses a SniSsl element.
+        /// </summary>
+        /// <param name="node">The element to parse.</param>
+        /// <param name="componentId">Identifier of the component that owns this SNI SSL Certificate.</param>
+        private void ParseSniSslCertificateElement(Intermediate intermediate, IntermediateSection section, XElement node, string componentId)
+        {
+            var sourceLineNumbers = this.ParseHelper.GetSourceLineNumbers(node);
+            Identifier id = null;
+            string host = null;
+            string port = null;
+            string appId = null;
+            string store = null;
+            string thumbprint = null;
+            var handleExisting = HandleExisting.Replace;
+            string handleExistingValue = null;
+
+            foreach (var attrib in node.Attributes())
+            {
+                if (String.IsNullOrEmpty(attrib.Name.NamespaceName) || this.Namespace == attrib.Name.Namespace)
+                {
+                    switch (attrib.Name.LocalName)
+                    {
+                        case "Id":
+                            id = this.ParseHelper.GetAttributeIdentifier(sourceLineNumbers, attrib);
+                            break;
+                        case "AppId":
+                            appId = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            break;
+                        case "HandleExisting":
+                            handleExistingValue = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            switch (handleExistingValue)
+                            {
+                                case "replace":
+                                    handleExisting = HandleExisting.Replace;
+                                    break;
+                                case "ignore":
+                                    handleExisting = HandleExisting.Ignore;
+                                    break;
+                                case "fail":
+                                    handleExisting = HandleExisting.Fail;
+                                    break;
+                                default:
+                                    this.Messaging.Write(ErrorMessages.IllegalAttributeValue(sourceLineNumbers, node.Name.LocalName, "HandleExisting", handleExistingValue, "replace", "ignore", "fail"));
+                                    break;
+                            }
+                            break;
+                        case "Host":
+                            host = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            break;
+                        case "Port":
+                            port = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            break;
+                        case "Store":
+                            store = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            break;
+                        case "Thumbprint":
+                            thumbprint = this.ParseHelper.GetAttributeValue(sourceLineNumbers, attrib);
+                            break;
+                        default:
+                            this.ParseHelper.UnexpectedAttribute(node, attrib);
+                            break;
+                    }
+                }
+                else
+                {
+                    this.ParseHelper.ParseExtensionAttribute(this.Context.Extensions, intermediate, section, node, attrib);
+                }
+            }
+
+            // Need the element ID for child element processing, so generate now if not authored.
+            if (null == id)
+            {
+                id = this.ParseHelper.CreateIdentifier("ssl", componentId, host, port);
+            }
+
+            // Required attributes.
+            if (null == host)
+            {
+                this.Messaging.Write(ErrorMessages.ExpectedAttribute(sourceLineNumbers, node.Name.LocalName, "Host"));
+            }
+
+            if (null == port)
+            {
+                this.Messaging.Write(ErrorMessages.ExpectedAttribute(sourceLineNumbers, node.Name.LocalName, "Port"));
+            }
+
+            if (null == thumbprint)
+            {
+                this.Messaging.Write(ErrorMessages.ExpectedAttribute(sourceLineNumbers, node.Name.LocalName, "Thumbprint"));
+            }
+
+            // Parse unknown children.
+            this.ParseHelper.ParseForExtensionElements(this.Context.Extensions, intermediate, section, node);
+
+            if (!this.Messaging.EncounteredError)
+            {
+                section.AddSymbol(new WixHttpSniSslCertSymbol(sourceLineNumbers, id)
+                {
+                    Host = host,
+                    Port = port,
+                    Thumbprint = thumbprint,
+                    AppId = appId,
+                    Store = store,
+                    HandleExisting = handleExisting,
+                    ComponentRef = componentId,
+                });
+
+                this.ParseHelper.CreateCustomActionReference(sourceLineNumbers, section, "Wix4SchedHttpSniSslCertsInstall", this.Context.Platform, CustomActionPlatforms.X86 | CustomActionPlatforms.X64 | CustomActionPlatforms.ARM64);
+                this.ParseHelper.CreateCustomActionReference(sourceLineNumbers, section, "Wix4SchedHttpSniSslCertsUninstall", this.Context.Platform, CustomActionPlatforms.X86 | CustomActionPlatforms.X64 | CustomActionPlatforms.ARM64);
+            }
+        }
+
+        /// <summary>
         /// Parses a UrlReservation element.
         /// </summary>
         /// <param name="node">The element to parse.</param>
diff --git a/src/wixext/HttpTableDefinitions.cs b/src/wixext/HttpTableDefinitions.cs
index 0665ce8d..83cd565a 100644
--- a/src/wixext/HttpTableDefinitions.cs
+++ b/src/wixext/HttpTableDefinitions.cs
@@ -6,6 +6,23 @@ namespace WixToolset.Http
 
     public static class HttpTableDefinitions
     {
+        public static readonly TableDefinition WixHttpSniSslCert = new TableDefinition(
+            "WixHttpSniSslCert",
+            HttpSymbolDefinitions.WixHttpSniSslCert,
+            new[]
+            {
+                new ColumnDefinition("WixHttpSniSslCert", ColumnType.String, 72, primaryKey: true, nullable: false, ColumnCategory.Identifier, description: "The non-localized primary key for the table.", modularizeType: ColumnModularizeType.Column),
+                new ColumnDefinition("Host", ColumnType.String, 0, primaryKey: false, nullable: false, ColumnCategory.Formatted, description: "Host for the SNI SSL certificate.", modularizeType: ColumnModularizeType.Property),
+                new ColumnDefinition("Port", ColumnType.String, 0, primaryKey: false, nullable: false, ColumnCategory.Formatted, description: "Port for the  SNI SSL certificate.", modularizeType: ColumnModularizeType.Property),
+                new ColumnDefinition("Thumbprint", ColumnType.String, 0, primaryKey: false, nullable: false, ColumnCategory.Formatted, description: "humbprint of the SNI SSL certificate to find.", modularizeType: ColumnModularizeType.Property),
+                new ColumnDefinition("AppId", ColumnType.String, 0, primaryKey: false, nullable: true, ColumnCategory.Formatted, description: "Optional application id for the SNI SSL certificate.", modularizeType: ColumnModularizeType.Property),
+                new ColumnDefinition("Store", ColumnType.String, 0, primaryKey: false, nullable: true, ColumnCategory.Formatted, description: "Optional application id for the SNI SSL certificate.", modularizeType: ColumnModularizeType.Property),
+                new ColumnDefinition("HandleExisting", ColumnType.Number, 4, primaryKey: false, nullable: false, ColumnCategory.Unknown, minValue: 0, maxValue: 2, description: "The behavior when trying to install a SNI SSL certificate and it already exists."),
+                new ColumnDefinition("Component_", ColumnType.String, 72, primaryKey: false, nullable: false, ColumnCategory.Identifier, keyTable: "Component", keyColumn: 1, description: "Foreign key into the Component table referencing the component that controls the URL reservation.", modularizeType: ColumnModularizeType.Column),
+            },
+            symbolIdIsPrimaryKey: true
+        );
+
         public static readonly TableDefinition WixHttpUrlReservation = new TableDefinition(
             "WixHttpUrlReservation",
             HttpSymbolDefinitions.WixHttpUrlReservation,
@@ -35,6 +52,7 @@ namespace WixToolset.Http
 
         public static readonly TableDefinition[] All = new[]
         {
+            WixHttpSniSslCert,
             WixHttpUrlReservation,
             WixHttpUrlAce,
         };
diff --git a/src/wixext/Symbols/HttpSymbolDefinitions.cs b/src/wixext/Symbols/HttpSymbolDefinitions.cs
index a6deb307..2aa03468 100644
--- a/src/wixext/Symbols/HttpSymbolDefinitions.cs
+++ b/src/wixext/Symbols/HttpSymbolDefinitions.cs
@@ -7,6 +7,7 @@ namespace WixToolset.Http
 
     public enum HttpSymbolDefinitionType
     {
+        WixHttpSniSslCert,
         WixHttpUrlAce,
         WixHttpUrlReservation,
     }
@@ -29,6 +30,9 @@ namespace WixToolset.Http
         {
             switch (type)
             {
+                case HttpSymbolDefinitionType.WixHttpSniSslCert:
+                    return HttpSymbolDefinitions.WixHttpSniSslCert;
+
                 case HttpSymbolDefinitionType.WixHttpUrlAce:
                     return HttpSymbolDefinitions.WixHttpUrlAce;
 
diff --git a/src/wixext/Symbols/WixHttpSniSslCertSymbol.cs b/src/wixext/Symbols/WixHttpSniSslCertSymbol.cs
new file mode 100644
index 00000000..ec67a089
--- /dev/null
+++ b/src/wixext/Symbols/WixHttpSniSslCertSymbol.cs
@@ -0,0 +1,95 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Http
+{
+    using WixToolset.Data;
+    using WixToolset.Http.Symbols;
+
+    public static partial class HttpSymbolDefinitions
+    {
+        public static readonly IntermediateSymbolDefinition WixHttpSniSslCert = new IntermediateSymbolDefinition(
+            HttpSymbolDefinitionType.WixHttpSniSslCert.ToString(),
+            new[]
+            {
+                new IntermediateFieldDefinition(nameof(WixHttpSniSslCertSymbolFields.Host), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixHttpSniSslCertSymbolFields.Port), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixHttpSniSslCertSymbolFields.Thumbprint), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixHttpSniSslCertSymbolFields.AppId), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixHttpSniSslCertSymbolFields.Store), IntermediateFieldType.String),
+                new IntermediateFieldDefinition(nameof(WixHttpSniSslCertSymbolFields.HandleExisting), IntermediateFieldType.Number),
+                new IntermediateFieldDefinition(nameof(WixHttpSniSslCertSymbolFields.ComponentRef), IntermediateFieldType.String),
+            },
+            typeof(WixHttpSniSslCertSymbol));
+    }
+}
+
+namespace WixToolset.Http.Symbols
+{
+    using WixToolset.Data;
+
+    public enum WixHttpSniSslCertSymbolFields
+    {
+        Host,
+        Port,
+        Thumbprint,
+        AppId,
+        Store,
+        HandleExisting,
+        ComponentRef,
+    }
+
+    public class WixHttpSniSslCertSymbol : IntermediateSymbol
+    {
+        public WixHttpSniSslCertSymbol() : base(HttpSymbolDefinitions.WixHttpSniSslCert, null, null)
+        {
+        }
+
+        public WixHttpSniSslCertSymbol(SourceLineNumber sourceLineNumber, Identifier id = null) : base(HttpSymbolDefinitions.WixHttpSniSslCert, sourceLineNumber, id)
+        {
+        }
+
+        public IntermediateField this[WixHttpSniSslCertSymbolFields index] => this.Fields[(int)index];
+
+        public string Host
+        {
+            get => this.Fields[(int)WixHttpSniSslCertSymbolFields.Host].AsString();
+            set => this.Set((int)WixHttpSniSslCertSymbolFields.Host, value);
+        }
+
+        public string Port
+        {
+            get => this.Fields[(int)WixHttpSniSslCertSymbolFields.Port].AsString();
+            set => this.Set((int)WixHttpSniSslCertSymbolFields.Port, value);
+        }
+
+        public string Thumbprint
+        {
+            get => this.Fields[(int)WixHttpSniSslCertSymbolFields.Thumbprint].AsString();
+            set => this.Set((int)WixHttpSniSslCertSymbolFields.Thumbprint, value);
+        }
+
+        public string AppId
+        {
+            get => this.Fields[(int)WixHttpSniSslCertSymbolFields.AppId].AsString();
+            set => this.Set((int)WixHttpSniSslCertSymbolFields.AppId, value);
+        }
+
+        public string Store
+        {
+            get => this.Fields[(int)WixHttpSniSslCertSymbolFields.Store].AsString();
+            set => this.Set((int)WixHttpSniSslCertSymbolFields.Store, value);
+        }
+
+        public HandleExisting HandleExisting
+        {
+            get => (HandleExisting)this.Fields[(int)WixHttpSniSslCertSymbolFields.HandleExisting].AsNumber();
+            set => this.Set((int)WixHttpSniSslCertSymbolFields.HandleExisting, (int)value);
+        }
+
+        public string ComponentRef
+        {
+            get => this.Fields[(int)WixHttpSniSslCertSymbolFields.ComponentRef].AsString();
+            set => this.Set((int)WixHttpSniSslCertSymbolFields.ComponentRef, value);
+        }
+    }
+}
diff --git a/src/wixlib/HttpExtension_Platform.wxi b/src/wixlib/HttpExtension_Platform.wxi
index 2d498862..4f4a9e23 100644
--- a/src/wixlib/HttpExtension_Platform.wxi
+++ b/src/wixlib/HttpExtension_Platform.wxi
@@ -32,6 +32,33 @@
     </Fragment>
 
     <Fragment>
+        <UIRef Id="WixHttpErrors" />
+        <UI>
+            <ProgressText Action="$(var.Prefix)SchedHttpSniSslCertsInstall$(var.Suffix)" Message="!(loc.WixSchedHttpSniSslCertsInstall)" />
+            <ProgressText Action="$(var.Prefix)SchedHttpSniSslCertsUninstall$(var.Suffix)" Message="!(loc.WixSchedHttpSniSslCertsUninstall)" />
+            <ProgressText Action="$(var.Prefix)RollbackHttpSniSslCertsInstall$(var.Suffix)" Message="!(loc.WixRollbackHttpSniSslCertsInstall)" />
+            <ProgressText Action="$(var.Prefix)ExecHttpSniSslCertsInstall$(var.Suffix)" Message="!(loc.WixExecHttpSniSslCertsInstall)" />
+            <ProgressText Action="$(var.Prefix)RollbackHttpSniSslCertsUninstall$(var.Suffix)" Message="!(loc.WixRollbackHttpSniSslCertsUninstall)" />
+            <ProgressText Action="$(var.Prefix)ExecHttpSniSslCertsUninstall$(var.Suffix)" Message="!(loc.WixExecHttpSniSslCertsUninstall)" />
+        </UI>
+
+        <CustomAction Id="$(var.Prefix)SchedHttpSniSslCertsInstall$(var.Suffix)" BinaryRef="$(var.Prefix)HttpCA$(var.Suffix)" DllEntry="SchedHttpSniSslCertsInstall" Execute="immediate" Return="check" SuppressModularization="yes" />
+        <CustomAction Id="$(var.Prefix)SchedHttpSniSslCertsUninstall$(var.Suffix)" BinaryRef="$(var.Prefix)HttpCA$(var.Suffix)" DllEntry="SchedHttpSniSslCertsUninstall" Execute="immediate" Return="check" SuppressModularization="yes" />
+        <CustomAction Id="$(var.Prefix)RollbackHttpSniSslCertsInstall$(var.Suffix)" BinaryRef="$(var.Prefix)HttpCA$(var.Suffix)" DllEntry="ExecHttpSniSslCerts" Execute="rollback" Impersonate="no" Return="check" SuppressModularization="yes" />
+        <CustomAction Id="$(var.Prefix)ExecHttpSniSslCertsInstall$(var.Suffix)" BinaryRef="$(var.Prefix)HttpCA$(var.Suffix)" DllEntry="ExecHttpSniSslCerts" Execute="deferred" Impersonate="no" Return="check" SuppressModularization="yes" />
+        <CustomAction Id="$(var.Prefix)RollbackHttpSniSslCertsUninstall$(var.Suffix)" BinaryRef="$(var.Prefix)HttpCA$(var.Suffix)" DllEntry="ExecHttpSniSslCerts" Execute="rollback" Impersonate="no" Return="check" SuppressModularization="yes" />
+        <CustomAction Id="$(var.Prefix)ExecHttpSniSslCertsUninstall$(var.Suffix)" BinaryRef="$(var.Prefix)HttpCA$(var.Suffix)" DllEntry="ExecHttpSniSslCerts" Execute="deferred" Impersonate="no" Return="check" SuppressModularization="yes" />
+
+        <!--
+            We need HTTP.SYS on Windows 8 or later for SNI SSL support.
+        -->
+        <InstallExecuteSequence>
+            <Custom Action="$(var.Prefix)SchedHttpSniSslCertsUninstall$(var.Suffix)" Before="RemoveFiles" Overridable="yes" Condition="VersionNT >= 602" />
+            <Custom Action="$(var.Prefix)SchedHttpSniSslCertsInstall$(var.Suffix)" After="InstallFiles" Overridable="yes" Condition="VersionNT >= 602" />
+        </InstallExecuteSequence>
+    </Fragment>
+
+    <Fragment>
         <Binary Id="$(var.Prefix)HttpCA$(var.Suffix)" SourceFile="!(bindpath.$(var.platform))httpca.dll" />
     </Fragment>
 </Include>
diff --git a/src/wixlib/en-us.wxl b/src/wixlib/en-us.wxl
index b6c180ed..22d74f78 100644
--- a/src/wixlib/en-us.wxl
+++ b/src/wixlib/en-us.wxl
@@ -1,6 +1,5 @@
 <!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
 
-
 <WixLocalization Culture="en-us" xmlns="http://wixtoolset.org/schemas/v4/wxl">
     <String Id="WixSchedHttpUrlReservationsInstall" Overridable="yes">Preparing to configure Windows HTTP Server</String>
     <String Id="WixSchedHttpUrlReservationsUninstall" Overridable="yes">Preparing to configure Windows HTTP Server</String>
@@ -8,4 +7,11 @@
     <String Id="WixExecHttpUrlReservationsInstall" Overridable="yes">Configuring Windows HTTP Server</String>
     <String Id="WixRollbackHttpUrlReservationsUninstall" Overridable="yes">Rolling back Windows HTTP Server configuration</String>
     <String Id="WixExecHttpUrlReservationsUninstall" Overridable="yes">Configuring Windows HTTP Server</String>
+
+    <String Id="WixSchedHttpSniSslCertsInstall" Overridable="yes">Preparing to configure Windows HTTP Server SSL</String>
+    <String Id="WixSchedHttpSniSslCertsUninstall" Overridable="yes">Preparing to configure Windows HTTP Server SSL</String>
+    <String Id="WixRollbackHttpSniSslCertsInstall" Overridable="yes">Rolling back Windows HTTP Server SSL configuration</String>
+    <String Id="WixExecHttpSniSslCertsInstall" Overridable="yes">Configuring Windows HTTP Server SSL</String>
+    <String Id="WixRollbackHttpSniSslCertsUninstall" Overridable="yes">Rolling back Windows HTTP Server SSL configuration</String>
+    <String Id="WixExecHttpSniSslCertsUninstall" Overridable="yes">Configuring Windows HTTP Server SSL</String>
 </WixLocalization>