10 files changed, 1435 insertions, 0 deletions

diff --git a/src/ext/Http/ca/caDecor.h b/src/ext/Http/ca/caDecor.h
new file mode 100644
index 00000000..da274650
--- /dev/null
+++ b/src/ext/Http/ca/caDecor.h
@@ -0,0 +1,13 @@
+#pragma once
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+
+#if defined(_M_ARM64)
+#define CUSTOM_ACTION_DECORATION(f) L"Wix4" f L"_A64"
+#elif defined(_M_AMD64)
+#define CUSTOM_ACTION_DECORATION(f) L"Wix4" f L"_X64"
+#elif defined(_M_ARM)
+#define CUSTOM_ACTION_DECORATION(f) L"Wix4" f L"_ARM"
+#else
+#define CUSTOM_ACTION_DECORATION(f) L"Wix4" f L"_X86"
+#endif
diff --git a/src/ext/Http/ca/cost.h b/src/ext/Http/ca/cost.h
new file mode 100644
index 00000000..9677e7e8
--- /dev/null
+++ b/src/ext/Http/ca/cost.h
@@ -0,0 +1,6 @@
+#pragma once
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+
+const UINT COST_HTTP_URL_ACL = 2000;
+const UINT COST_HTTP_SNI_SSL = 2000;
diff --git a/src/ext/Http/ca/dllmain.cpp b/src/ext/Http/ca/dllmain.cpp
new file mode 100644
index 00000000..b4c8c037
--- /dev/null
+++ b/src/ext/Http/ca/dllmain.cpp
@@ -0,0 +1,26 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+#include "precomp.h"
+
+/********************************************************************
+DllMain - standard entry point for all WiX CustomActions
+
+********************************************************************/
+extern "C" BOOL WINAPI DllMain(
+    IN HINSTANCE hInstance,
+    IN ULONG ulReason,
+    IN LPVOID)
+{
+    switch(ulReason)
+    {
+    case DLL_PROCESS_ATTACH:
+        WcaGlobalInitialize(hInstance);
+        break;
+
+    case DLL_PROCESS_DETACH:
+        WcaGlobalFinalize();
+        break;
+    }
+
+    return TRUE;
+}
diff --git a/src/ext/Http/ca/httpca.vcxproj b/src/ext/Http/ca/httpca.vcxproj
new file mode 100644
index 00000000..fde00ff4
--- /dev/null
+++ b/src/ext/Http/ca/httpca.vcxproj
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="..\..\packages\WixToolset.DUtil.4.0.56\build\WixToolset.DUtil.props" Condition="Exists('..\..\packages\WixToolset.DUtil.4.0.56\build\WixToolset.DUtil.props')" />
+  <Import Project="..\..\packages\WixToolset.WcaUtil.4.0.17\build\WixToolset.WcaUtil.props" Condition="Exists('..\..\packages\WixToolset.WcaUtil.4.0.17\build\WixToolset.WcaUtil.props')" />
+
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{90743805-C043-47C7-B5FF-8F5EE5C8A2DE}</ProjectGuid>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+    <TargetName>httpca</TargetName>
+    <ProjectModuleDefinitionFile>wixhttpca.def</ProjectModuleDefinitionFile>
+    <Description>WiX Toolset Http CustomAction</Description>
+  </PropertyGroup>
+
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+
+  <PropertyGroup>
+    <ProjectAdditionalLinkLibraries>crypt32.lib;httpapi.lib;msi.lib;rpcrt4.lib;ws2_32.lib</ProjectAdditionalLinkLibraries>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ClCompile Include="dllmain.cpp">
+      <PrecompiledHeader>Create</PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="snisslcert.cpp" />
+    <ClCompile Include="wixhttpca.cpp" />
+    <ClInclude Include="cost.h" />
+    <ClInclude Include="precomp.h" />
+    <None Include="packages.config" />
+    <None Include="wixhttpca.def" />
+  </ItemGroup>
+
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+
+  <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
+    <PropertyGroup>
+      <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
+    </PropertyGroup>
+    <Error Condition="!Exists('..\..\packages\WixToolset.DUtil.4.0.56\build\WixToolset.DUtil.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\packages\WixToolset.DUtil.4.0.56\build\WixToolset.DUtil.props'))" />
+    <Error Condition="!Exists('..\..\packages\WixToolset.WcaUtil.4.0.17\build\WixToolset.WcaUtil.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\packages\WixToolset.WcaUtil.4.0.17\build\WixToolset.WcaUtil.props'))" />
+  </Target>
+</Project>
diff --git a/src/ext/Http/ca/httpca.vcxproj.filters b/src/ext/Http/ca/httpca.vcxproj.filters
new file mode 100644
index 00000000..2ccd604d
--- /dev/null
+++ b/src/ext/Http/ca/httpca.vcxproj.filters
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="wixhttpca.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="dllmain.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="snisslcert.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="precomp.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="cost.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="wixhttpca.def">
+      <Filter>Source Files</Filter>
+    </None>
+    <None Include="packages.config" />
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/src/ext/Http/ca/packages.config b/src/ext/Http/ca/packages.config
new file mode 100644
index 00000000..9d88f529
--- /dev/null
+++ b/src/ext/Http/ca/packages.config
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="WixToolset.DUtil" version="4.0.56" targetFramework="native" />
+  <package id="WixToolset.WcaUtil" version="4.0.17" targetFramework="native" />
+</packages>
\ No newline at end of file
diff --git a/src/ext/Http/ca/precomp.h b/src/ext/Http/ca/precomp.h
new file mode 100644
index 00000000..c78d78c1
--- /dev/null
+++ b/src/ext/Http/ca/precomp.h
@@ -0,0 +1,25 @@
+#pragma once
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+
+#include <http.h>
+#include <msiquery.h>
+#include <strsafe.h>
+
+#include "wcautil.h"
+#include "cryputil.h"
+#include "dutil.h"
+#include "memutil.h"
+#include "strutil.h"
+#include "aclutil.h"
+
+#include "cost.h"
+
+#include "caDecor.h"
+
+enum eHandleExisting
+{
+    heReplace = 0,
+    heIgnore = 1,
+    heFail = 2
+};
diff --git a/src/ext/Http/ca/snisslcert.cpp b/src/ext/Http/ca/snisslcert.cpp
new file mode 100644
index 00000000..3a7336af
--- /dev/null
+++ b/src/ext/Http/ca/snisslcert.cpp
@@ -0,0 +1,704 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+#include "precomp.h"
+
+#if _WIN32_WINNT < 0x0602
+
+typedef struct _HTTP_SERVICE_CONFIG_SSL_SNI_KEY
+{
+    SOCKADDR_STORAGE IpPort;
+    PWSTR Host;
+} HTTP_SERVICE_CONFIG_SSL_SNI_KEY, * PHTTP_SERVICE_CONFIG_SSL_SNI_KEY;
+
+typedef struct _HTTP_SERVICE_CONFIG_SSL_SNI_SET
+{
+    HTTP_SERVICE_CONFIG_SSL_SNI_KEY KeyDesc;
+    HTTP_SERVICE_CONFIG_SSL_PARAM   ParamDesc;
+} HTTP_SERVICE_CONFIG_SSL_SNI_SET, * PHTTP_SERVICE_CONFIG_SSL_SNI_SET;
+
+typedef struct _HTTP_SERVICE_CONFIG_SSL_SNI_QUERY
+{
+    HTTP_SERVICE_CONFIG_QUERY_TYPE  QueryDesc;
+    HTTP_SERVICE_CONFIG_SSL_SNI_KEY KeyDesc;
+    DWORD                           dwToken;
+} HTTP_SERVICE_CONFIG_SSL_SNI_QUERY, * PHTTP_SERVICE_CONFIG_SSL_SNI_QUERY;
+
+#define HttpServiceConfigSslSniCertInfo static_cast<HTTP_SERVICE_CONFIG_ID>(HttpServiceConfigCache + 1)
+
+#endif
+
+static UINT SchedHttpSniSslCerts(
+    __in WCA_TODO todoSched
+);
+static HRESULT WriteExistingSniSslCert(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSniSslSet,
+    __inout_z LPWSTR* psczCustomActionData
+);
+static HRESULT WriteSniSslCert(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in_z LPCWSTR wzCertificateThumbprint,
+    __in_z LPCWSTR wzAppId,
+    __in_z_opt LPCWSTR wzCertificateStore,
+    __inout_z LPWSTR* psczCustomActionData
+);
+static HRESULT EnsureAppId(
+    __inout_z LPWSTR* psczAppId,
+    __in_opt HTTP_SERVICE_CONFIG_SSL_SNI_SET* pExistingSniSslSet
+);
+static HRESULT StringFromGuid(
+    __in REFGUID rguid,
+    __inout_z LPWSTR* psczGuid
+);
+static HRESULT AddSniSslCert(
+    __in_z LPCWSTR wzId,
+    __in_z LPWSTR wzHost,
+    __in int iPort,
+    __in BYTE rgbCertificateThumbprint[],
+    __in DWORD cbCertificateThumbprint,
+    __in GUID* pAppId,
+    __in_z LPWSTR wzSslCertStore
+);
+static HRESULT GetSniSslCert(
+    __in_z LPWSTR wzHost,
+    __in int nPort,
+    __out HTTP_SERVICE_CONFIG_SSL_SNI_SET** ppSet
+);
+static HRESULT RemoveSniSslCert(
+    __in_z LPCWSTR wzId,
+    __in_z LPWSTR wzHost,
+    __in int iPort
+);
+static void SetSniSslCertSetKey(
+    __in HTTP_SERVICE_CONFIG_SSL_SNI_KEY* pKey,
+    __in_z LPWSTR wzHost,
+    __in int iPort
+);
+
+
+LPCWSTR vcsWixHttpSniSslCertQuery =
+L"SELECT `Wix4HttpSniSslCert`.`Wix4HttpSniSslCert`, `Wix4HttpSniSslCert`.`Host`, `Wix4HttpSniSslCert`.`Port`, `Wix4HttpSniSslCert`.`Thumbprint`, `Wix4HttpSniSslCert`.`AppId`, `Wix4HttpSniSslCert`.`Store`, `Wix4HttpSniSslCert`.`HandleExisting`, `Wix4HttpSniSslCert`.`Component_` "
+L"FROM `Wix4HttpSniSslCert`";
+enum eWixHttpSniSslCertQuery { hurqId = 1, hurqHost, hurqPort, hurqCertificateThumbprint, hurqAppId, hurqCertificateStore, hurqHandleExisting, hurqComponent };
+
+/******************************************************************
+ SchedWixHttpSniSslCertsInstall - immediate custom action entry
+   point to prepare adding URL reservations.
+
+********************************************************************/
+extern "C" UINT __stdcall SchedHttpSniSslCertsInstall(
+    __in MSIHANDLE hInstall
+)
+{
+    HRESULT hr = S_OK;
+
+    hr = WcaInitialize(hInstall, "SchedHttpSniSslCertsInstall");
+    ExitOnFailure(hr, "Failed to initialize");
+
+    hr = SchedHttpSniSslCerts(WCA_TODO_INSTALL);
+
+LExit:
+    return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
+}
+
+/******************************************************************
+ SchedWixHttpSniSslCertsUninstall - immediate custom action entry
+   point to prepare removing URL reservations.
+
+********************************************************************/
+extern "C" UINT __stdcall SchedHttpSniSslCertsUninstall(
+    __in MSIHANDLE hInstall
+)
+{
+    HRESULT hr = S_OK;
+
+    hr = WcaInitialize(hInstall, "SchedHttpSniSslCertsUninstall");
+    ExitOnFailure(hr, "Failed to initialize");
+
+    hr = SchedHttpSniSslCerts(WCA_TODO_UNINSTALL);
+
+LExit:
+    return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
+}
+
+/******************************************************************
+ ExecHttpSniSslCerts - deferred custom action entry point to
+   register and remove URL reservations.
+
+********************************************************************/
+extern "C" UINT __stdcall ExecHttpSniSslCerts(
+    __in MSIHANDLE hInstall
+)
+{
+    HRESULT hr = S_OK;
+    BOOL fHttpInitialized = FALSE;
+    LPWSTR sczCustomActionData = NULL;
+    LPWSTR wz = NULL;
+    int iTodo = WCA_TODO_UNKNOWN;
+    LPWSTR sczId = NULL;
+    LPWSTR sczHost = NULL;
+    int iPort = 0;
+    eHandleExisting handleExisting = heIgnore;
+    LPWSTR sczCertificateThumbprint = NULL;
+    LPWSTR sczAppId = NULL;
+    LPWSTR sczCertificateStore = NULL;
+
+    BOOL fRollback = ::MsiGetMode(hInstall, MSIRUNMODE_ROLLBACK);
+    BOOL fRemove = FALSE;
+    BOOL fAdd = FALSE;
+    BOOL fFailOnExisting = FALSE;
+
+    GUID guidAppId = { };
+    BYTE* pbCertificateThumbprint = NULL;
+    DWORD cbCertificateThumbprint = 0;
+
+    // Initialize.
+    hr = WcaInitialize(hInstall, "ExecHttpSniSslCerts");
+    ExitOnFailure(hr, "Failed to initialize");
+
+    hr = HRESULT_FROM_WIN32(::HttpInitialize(HTTPAPI_VERSION_1, HTTP_INITIALIZE_CONFIG, NULL));
+    ExitOnFailure(hr, "Failed to initialize HTTP Server configuration");
+
+    fHttpInitialized = TRUE;
+
+    hr = WcaGetProperty(L"CustomActionData", &sczCustomActionData);
+    ExitOnFailure(hr, "Failed to get CustomActionData");
+    WcaLog(LOGMSG_TRACEONLY, "CustomActionData: %ls", sczCustomActionData);
+
+    wz = sczCustomActionData;
+    while (wz && *wz)
+    {
+        // Extract the custom action data and if rolling back, swap INSTALL and UNINSTALL.
+        hr = WcaReadIntegerFromCaData(&wz, &iTodo);
+        ExitOnFailure(hr, "Failed to read todo from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczId);
+        ExitOnFailure(hr, "Failed to read Id from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczHost);
+        ExitOnFailure(hr, "Failed to read Host from custom action data");
+
+        hr = WcaReadIntegerFromCaData(&wz, &iPort);
+        ExitOnFailure(hr, "Failed to read Port from custom action data");
+
+        hr = WcaReadIntegerFromCaData(&wz, reinterpret_cast<int*>(&handleExisting));
+        ExitOnFailure(hr, "Failed to read HandleExisting from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczCertificateThumbprint);
+        ExitOnFailure(hr, "Failed to read CertificateThumbprint from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczAppId);
+        ExitOnFailure(hr, "Failed to read AppId from custom action data");
+
+        hr = WcaReadStringFromCaData(&wz, &sczCertificateStore);
+        ExitOnFailure(hr, "Failed to read CertificateStore from custom action data");
+
+        switch (iTodo)
+        {
+        case WCA_TODO_INSTALL:
+        case WCA_TODO_REINSTALL:
+            fRemove = heReplace == handleExisting || fRollback;
+            fAdd = !fRollback || *sczCertificateThumbprint;
+            fFailOnExisting = heFail == handleExisting && !fRollback;
+            break;
+
+        case WCA_TODO_UNINSTALL:
+            fRemove = !fRollback;
+            fAdd = fRollback && *sczCertificateThumbprint;
+            fFailOnExisting = FALSE;
+            break;
+        }
+
+        if (fRemove)
+        {
+            hr = RemoveSniSslCert(sczId, sczHost, iPort);
+            if (S_OK == hr)
+            {
+                WcaLog(LOGMSG_STANDARD, "Removed SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+            }
+            else if (FAILED(hr))
+            {
+                if (fRollback)
+                {
+                    WcaLogError(hr, "Failed to remove SNI SSL certificate to rollback '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                }
+                else
+                {
+                    ExitOnFailure(hr, "Failed to remove SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                }
+            }
+        }
+
+        if (fAdd)
+        {
+            WcaLog(LOGMSG_STANDARD, "Adding SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+
+            hr = StrAllocHexDecode(sczCertificateThumbprint, &pbCertificateThumbprint, &cbCertificateThumbprint);
+            ExitOnFailure(hr, "Failed to convert thumbprint to bytes for SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+
+            hr = ::IIDFromString(sczAppId, &guidAppId);
+            ExitOnFailure(hr, "Failed to convert AppId '%ls' back to GUID for SNI SSL certificate '%ls' for hostname: %ls:%d", sczAppId, sczId, sczHost, iPort);
+
+            hr = AddSniSslCert(sczId, sczHost, iPort, pbCertificateThumbprint, cbCertificateThumbprint, &guidAppId, sczCertificateStore && *sczCertificateStore ? sczCertificateStore : L"MY");
+            if (S_FALSE == hr && fFailOnExisting)
+            {
+                hr = HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS);
+            }
+
+            if (S_OK == hr)
+            {
+                WcaLog(LOGMSG_STANDARD, "Added SNI SSL certificate '%ls' for hostname: %ls:%d with thumbprint: %ls", sczId, sczHost, iPort, sczCertificateThumbprint);
+            }
+            else if (FAILED(hr))
+            {
+                if (fRollback)
+                {
+                    WcaLogError(hr, "Failed to add SNI SSL certificate to rollback '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                }
+                else
+                {
+                    ExitOnFailure(hr, "Failed to add SNI SSL certificate '%ls' for hostname: %ls:%d", sczId, sczHost, iPort);
+                }
+            }
+
+            ReleaseNullMem(pbCertificateThumbprint);
+        }
+    }
+
+LExit:
+    ReleaseMem(pbCertificateThumbprint);
+    ReleaseStr(sczCertificateStore);
+    ReleaseStr(sczAppId);
+    ReleaseStr(sczCertificateThumbprint);
+    ReleaseStr(sczHost);
+    ReleaseStr(sczId);
+    ReleaseStr(sczCustomActionData);
+
+    if (fHttpInitialized)
+    {
+        ::HttpTerminate(HTTP_INITIALIZE_CONFIG, NULL);
+    }
+
+    return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
+}
+
+static UINT SchedHttpSniSslCerts(
+    __in WCA_TODO todoSched
+)
+{
+    HRESULT hr = S_OK;
+    UINT er = ERROR_SUCCESS;
+    BOOL fHttpInitialized = FALSE;
+    DWORD cCertificates = 0;
+
+    PMSIHANDLE hView = NULL;
+    PMSIHANDLE hRec = NULL;
+    PMSIHANDLE hQueryReq = NULL;
+    PMSIHANDLE hAceView = NULL;
+
+    LPWSTR sczCustomActionData = NULL;
+    LPWSTR sczRollbackCustomActionData = NULL;
+
+    LPWSTR sczId = NULL;
+    LPWSTR sczComponent = NULL;
+    WCA_TODO todoComponent = WCA_TODO_UNKNOWN;
+    LPWSTR sczHost = NULL;
+    int iPort = 0;
+    LPWSTR sczCertificateThumbprint = NULL;
+    LPWSTR sczAppId = NULL;
+    LPWSTR sczCertificateStore = NULL;
+    int iHandleExisting = 0;
+
+    HTTP_SERVICE_CONFIG_SSL_SNI_SET* pExistingSniSslSet = NULL;
+
+    // Anything to do?
+    hr = WcaTableExists(L"Wix4HttpSniSslCert");
+    ExitOnFailure(hr, "Failed to check if the Wix4HttpSniSslCert table exists");
+    if (S_FALSE == hr)
+    {
+        WcaLog(LOGMSG_STANDARD, "Wix4HttpSniSslCert table doesn't exist, so there are no URL reservations to configure");
+        ExitFunction();
+    }
+
+    // Query and loop through all the SNI SSL certificates.
+    hr = WcaOpenExecuteView(vcsWixHttpSniSslCertQuery, &hView);
+    ExitOnFailure(hr, "Failed to open view on the Wix4HttpSniSslCert table");
+
+    hr = HRESULT_FROM_WIN32(::HttpInitialize(HTTPAPI_VERSION_1, HTTP_INITIALIZE_CONFIG, NULL));
+    ExitOnFailure(hr, "Failed to initialize HTTP Server configuration");
+
+    fHttpInitialized = TRUE;
+
+    while (S_OK == (hr = WcaFetchRecord(hView, &hRec)))
+    {
+        hr = WcaGetRecordString(hRec, hurqId, &sczId);
+        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.Wix4HttpSniSslCert");
+
+        hr = WcaGetRecordString(hRec, hurqComponent, &sczComponent);
+        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.Component_");
+
+        // Figure out what we're doing for this reservation, treating reinstall the same as install.
+        todoComponent = WcaGetComponentToDo(sczComponent);
+        if ((WCA_TODO_REINSTALL == todoComponent ? WCA_TODO_INSTALL : todoComponent) != todoSched)
+        {
+            WcaLog(LOGMSG_STANDARD, "Component '%ls' action state (%d) doesn't match request (%d) for Wix4HttpSniSslCert '%ls'", sczComponent, todoComponent, todoSched, sczId);
+            continue;
+        }
+
+        hr = WcaGetRecordFormattedString(hRec, hurqHost, &sczHost);
+        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.Host");
+
+        hr = WcaGetRecordFormattedInteger(hRec, hurqPort, &iPort);
+        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.Port");
+
+        hr = WcaGetRecordFormattedString(hRec, hurqCertificateThumbprint, &sczCertificateThumbprint);
+        ExitOnFailure(hr, "Failed to get Wix4HttpSniSslCert.CertificateThumbprint");
+
+        if (!sczHost || !*sczHost)
+        {
+            hr = E_INVALIDARG;
+            ExitOnFailure(hr, "Require a Host value for Wix4HttpSniSslCert '%ls'", sczId);
+        }
+
+        if (!iPort)
+        {
+            hr = E_INVALIDARG;
+            ExitOnFailure(hr, "Require a Port value for Wix4HttpSniSslCert '%ls'", sczId);
+        }
+
+        if (!sczCertificateThumbprint || !*sczCertificateThumbprint)
+        {
+            hr = E_INVALIDARG;
+            ExitOnFailure(hr, "Require a CertificateThumbprint value for Wix4HttpSniSslCert '%ls'", sczId);
+        }
+
+        hr = WcaGetRecordFormattedString(hRec, hurqAppId, &sczAppId);
+        ExitOnFailure(hr, "Failed to get AppId for Wix4HttpSniSslCert '%ls'", sczId);
+
+        hr = WcaGetRecordFormattedString(hRec, hurqCertificateStore, &sczCertificateStore);
+        ExitOnFailure(hr, "Failed to get CertificateStore for Wix4HttpSniSslCert '%ls'", sczId);
+
+        hr = WcaGetRecordInteger(hRec, hurqHandleExisting, &iHandleExisting);
+        ExitOnFailure(hr, "Failed to get HandleExisting for Wix4HttpSniSslCert '%ls'", sczId);
+
+        hr = GetSniSslCert(sczHost, iPort, &pExistingSniSslSet);
+        ExitOnFailure(hr, "Failed to get the existing SNI SSL certificate for Wix4HttpSniSslCert '%ls'", sczId);
+
+        hr = EnsureAppId(&sczAppId, pExistingSniSslSet);
+        ExitOnFailure(hr, "Failed to ensure AppId for Wix4HttpSniSslCert '%ls'", sczId);
+
+        hr = WriteExistingSniSslCert(todoComponent, sczId, sczHost, iPort, iHandleExisting, pExistingSniSslSet, &sczRollbackCustomActionData);
+        ExitOnFailure(hr, "Failed to write rollback custom action data for Wix4HttpSniSslCert '%ls'", sczId);
+
+        hr = WriteSniSslCert(todoComponent, sczId, sczHost, iPort, iHandleExisting, sczCertificateThumbprint, sczAppId, sczCertificateStore, &sczCustomActionData);
+        ExitOnFailure(hr, "Failed to write custom action data for Wix4HttpSniSslCert '%ls'", sczId);
+        ++cCertificates;
+
+        ReleaseNullMem(pExistingSniSslSet);
+    }
+
+    // Reaching the end of the list is not an error.
+    if (E_NOMOREITEMS == hr)
+    {
+        hr = S_OK;
+    }
+    ExitOnFailure(hr, "Failure occurred while processing Wix4HttpSniSslCert table");
+
+    // Schedule ExecHttpSniSslCerts if there's anything to do.
+    if (cCertificates)
+    {
+        WcaLog(LOGMSG_STANDARD, "Scheduling SNI SSL certificate (%ls)", sczCustomActionData);
+        WcaLog(LOGMSG_STANDARD, "Scheduling rollback SNI SSL certificate (%ls)", sczRollbackCustomActionData);
+
+        if (WCA_TODO_INSTALL == todoSched)
+        {
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixRollbackHttpSniSslCertsInstall"), sczRollbackCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule install SNI SSL certificate rollback");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixExecHttpSniSslCertsInstall"), sczCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule install SNI SSL certificate execution");
+        }
+        else
+        {
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixRollbackHttpSniSslCertsUninstall"), sczRollbackCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule uninstall SNI SSL certificate rollback");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixExecHttpSniSslCertsUninstall"), sczCustomActionData, cCertificates * COST_HTTP_SNI_SSL);
+            ExitOnFailure(hr, "Failed to schedule uninstall SNI SSL certificate execution");
+        }
+    }
+    else
+    {
+        WcaLog(LOGMSG_STANDARD, "No SNI SSL certificates scheduled");
+    }
+
+LExit:
+    ReleaseMem(pExistingSniSslSet);
+    ReleaseStr(sczCertificateStore);
+    ReleaseStr(sczAppId);
+    ReleaseStr(sczCertificateThumbprint);
+    ReleaseStr(sczHost);
+    ReleaseStr(sczComponent);
+    ReleaseStr(sczId);
+    ReleaseStr(sczRollbackCustomActionData);
+    ReleaseStr(sczCustomActionData);
+
+    if (fHttpInitialized)
+    {
+        ::HttpTerminate(HTTP_INITIALIZE_CONFIG, NULL);
+    }
+
+    return WcaFinalize(er = FAILED(hr) ? ERROR_INSTALL_FAILURE : er);
+}
+
+static HRESULT WriteExistingSniSslCert(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSniSslSet,
+    __inout_z LPWSTR* psczCustomActionData
+)
+{
+    HRESULT hr = S_OK;
+    LPWSTR sczCertificateThumbprint = NULL;
+    LPWSTR sczAppId = NULL;
+    LPCWSTR wzCertificateStore = NULL;
+
+    if (pSniSslSet)
+    {
+        hr = StrAllocHexEncode(reinterpret_cast<BYTE*>(pSniSslSet->ParamDesc.pSslHash), pSniSslSet->ParamDesc.SslHashLength, &sczCertificateThumbprint);
+        ExitOnFailure(hr, "Failed to convert existing certificate thumbprint to hex for Wix4HttpSniSslCert '%ls'", wzId);
+
+        hr = StringFromGuid(pSniSslSet->ParamDesc.AppId, &sczAppId);
+        ExitOnFailure(hr, "Failed to copy existing AppId for Wix4HttpSniSslCert '%ls'", wzId);
+
+        wzCertificateStore = pSniSslSet->ParamDesc.pSslCertStoreName;
+    }
+
+    hr = WriteSniSslCert(action, wzId, wzHost, iPort, iHandleExisting, sczCertificateThumbprint ? sczCertificateThumbprint : L"", sczAppId ? sczAppId : L"", wzCertificateStore ? wzCertificateStore : L"", psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write custom action data for Wix4HttpSniSslCert '%ls'", wzId);
+
+LExit:
+    ReleaseStr(sczAppId);
+    ReleaseStr(sczCertificateThumbprint);
+
+    return hr;
+}
+
+static HRESULT WriteSniSslCert(
+    __in WCA_TODO action,
+    __in_z LPCWSTR wzId,
+    __in_z LPCWSTR wzHost,
+    __in int iPort,
+    __in int iHandleExisting,
+    __in_z LPCWSTR wzCertificateThumbprint,
+    __in_z LPCWSTR wzAppId,
+    __in_z_opt LPCWSTR wzCertificateStore,
+    __inout_z LPWSTR* psczCustomActionData
+)
+{
+    HRESULT hr = S_OK;
+
+    hr = WcaWriteIntegerToCaData(action, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write action to custom action data");
+
+    hr = WcaWriteStringToCaData(wzId, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write id to custom action data");
+
+    hr = WcaWriteStringToCaData(wzHost, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write Host to custom action data");
+
+    hr = WcaWriteIntegerToCaData(iPort, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write Port to custom action data");
+
+    hr = WcaWriteIntegerToCaData(iHandleExisting, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write HandleExisting to custom action data");
+
+    hr = WcaWriteStringToCaData(wzCertificateThumbprint, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write CertificateThumbprint to custom action data");
+
+    hr = WcaWriteStringToCaData(wzAppId, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write AppId to custom action data");
+
+    hr = WcaWriteStringToCaData(wzCertificateStore ? wzCertificateStore : L"", psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write CertificateStore to custom action data");
+
+LExit:
+    return hr;
+}
+
+static HRESULT EnsureAppId(
+    __inout_z LPWSTR* psczAppId,
+    __in_opt HTTP_SERVICE_CONFIG_SSL_SNI_SET* pExistingSniSslSet
+)
+{
+    HRESULT hr = S_OK;
+    RPC_STATUS rs = RPC_S_OK;
+    GUID guid = { };
+
+    if (!psczAppId || !*psczAppId || !**psczAppId)
+    {
+        if (pExistingSniSslSet)
+        {
+            hr = StringFromGuid(pExistingSniSslSet->ParamDesc.AppId, psczAppId);
+            ExitOnFailure(hr, "Failed to ensure AppId guid");
+        }
+        else
+        {
+            rs = ::UuidCreate(&guid);
+            hr = HRESULT_FROM_RPC(rs);
+            ExitOnRootFailure(hr, "Failed to create guid for AppId");
+
+            hr = StringFromGuid(guid, psczAppId);
+            ExitOnFailure(hr, "Failed to ensure AppId guid");
+        }
+    }
+
+LExit:
+    return hr;
+}
+
+static HRESULT StringFromGuid(
+    __in REFGUID rguid,
+    __inout_z LPWSTR* psczGuid
+)
+{
+    HRESULT hr = S_OK;
+    WCHAR wzGuid[39];
+
+    if (!::StringFromGUID2(rguid, wzGuid, countof(wzGuid)))
+    {
+        hr = E_OUTOFMEMORY;
+        ExitOnRootFailure(hr, "Failed to convert guid into string");
+    }
+
+    hr = StrAllocString(psczGuid, wzGuid, 0);
+    ExitOnFailure(hr, "Failed to copy guid");
+
+LExit:
+    return hr;
+}
+
+static HRESULT AddSniSslCert(
+    __in_z LPCWSTR /*wzId*/,
+    __in_z LPWSTR wzHost,
+    __in int iPort,
+    __in BYTE rgbCertificateThumbprint[],
+    __in DWORD cbCertificateThumbprint,
+    __in GUID* pAppId,
+    __in_z LPWSTR wzSslCertStore
+)
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_SSL_SNI_SET set = { };
+
+    SetSniSslCertSetKey(&set.KeyDesc, wzHost, iPort);
+    set.ParamDesc.SslHashLength = cbCertificateThumbprint;
+    set.ParamDesc.pSslHash = rgbCertificateThumbprint;
+    set.ParamDesc.AppId = *pAppId;
+    set.ParamDesc.pSslCertStoreName = wzSslCertStore;
+
+    er = ::HttpSetServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &set, sizeof(set), NULL);
+    if (ERROR_ALREADY_EXISTS == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+
+    return hr;
+}
+
+static HRESULT GetSniSslCert(
+    __in_z LPWSTR wzHost,
+    __in int nPort,
+    __out HTTP_SERVICE_CONFIG_SSL_SNI_SET** ppSet
+)
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_SSL_SNI_QUERY query = { };
+    HTTP_SERVICE_CONFIG_SSL_SNI_SET* pSet = NULL;
+    ULONG cbSet = 0;
+
+    *ppSet = NULL;
+
+    query.QueryDesc = HttpServiceConfigQueryExact;
+    SetSniSslCertSetKey(&query.KeyDesc, wzHost, nPort);
+
+    er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
+    if (ERROR_INSUFFICIENT_BUFFER == er)
+    {
+        pSet = reinterpret_cast<HTTP_SERVICE_CONFIG_SSL_SNI_SET*>(MemAlloc(cbSet, TRUE));
+        ExitOnNull(pSet, hr, E_OUTOFMEMORY, "Failed to allocate query SN SSL certificate buffer");
+
+        er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
+    }
+
+    if (ERROR_SUCCESS == er)
+    {
+        *ppSet = pSet;
+        pSet = NULL;
+    }
+    else if (ERROR_FILE_NOT_FOUND == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+
+LExit:
+    ReleaseMem(pSet);
+
+    return hr;
+}
+
+static HRESULT RemoveSniSslCert(
+    __in_z LPCWSTR /*wzId*/,
+    __in_z LPWSTR wzHost,
+    __in int iPort
+)
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_SSL_SNI_SET set = { };
+
+    SetSniSslCertSetKey(&set.KeyDesc, wzHost, iPort);
+
+    er = ::HttpDeleteServiceConfiguration(NULL, HttpServiceConfigSslSniCertInfo, &set, sizeof(set), NULL);
+    if (ERROR_FILE_NOT_FOUND == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+
+    return hr;
+}
+
+static void SetSniSslCertSetKey(
+    __in HTTP_SERVICE_CONFIG_SSL_SNI_KEY* pKey,
+    __in_z LPWSTR wzHost,
+    __in int iPort
+)
+{
+    pKey->Host = wzHost;
+    SOCKADDR_IN* pss = reinterpret_cast<SOCKADDR_IN*>(&pKey->IpPort);
+    pss->sin_family = AF_INET;
+    pss->sin_port = htons(static_cast<USHORT>(iPort));
+}
diff --git a/src/ext/Http/ca/wixhttpca.cpp b/src/ext/Http/ca/wixhttpca.cpp
new file mode 100644
index 00000000..8c846ffc
--- /dev/null
+++ b/src/ext/Http/ca/wixhttpca.cpp
@@ -0,0 +1,530 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+#include "precomp.h"
+
+static HRESULT AppendUrlAce(
+    __in LPWSTR wzSecurityPrincipal,
+    __in int iRights,
+    __in LPWSTR* psczSDDL
+    );
+static HRESULT WriteHttpUrlReservation(
+    __in WCA_TODO action,
+    __in LPWSTR wzUrl,
+    __in LPWSTR wzSDDL,
+    __in int iHandleExisting,
+    __in LPWSTR* psczCustomActionData
+    );
+static HRESULT AddUrlReservation(
+    __in LPWSTR wzUrl,
+    __in LPWSTR wzSddl
+    );
+static HRESULT GetUrlReservation(
+    __in LPWSTR wzUrl,
+    __deref_out_z LPWSTR* psczSddl
+    );
+static HRESULT RemoveUrlReservation(
+    __in LPWSTR wzUrl
+    );
+
+HTTPAPI_VERSION vcHttpVersion = HTTPAPI_VERSION_1;
+ULONG vcHttpFlags = HTTP_INITIALIZE_CONFIG;
+
+LPCWSTR vcsHttpUrlReservationQuery =
+    L"SELECT `Wix4HttpUrlReservation`.`Wix4HttpUrlReservation`, `Wix4HttpUrlReservation`.`HandleExisting`, `Wix4HttpUrlReservation`.`Sddl`, `Wix4HttpUrlReservation`.`Url`, `Wix4HttpUrlReservation`.`Component_` "
+    L"FROM `Wix4HttpUrlReservation`";
+enum eHttpUrlReservationQuery { hurqId = 1, hurqHandleExisting, hurqSDDL, hurqUrl, hurqComponent };
+
+LPCWSTR vcsHttpUrlAceQuery =
+    L"SELECT `Wix4HttpUrlAce`.`SecurityPrincipal`, `Wix4HttpUrlAce`.`Rights` "
+    L"FROM `Wix4HttpUrlAce` "
+    L"WHERE `Wix4HttpUrlAce`.`Wix4HttpUrlReservation_`=?";
+enum eHttpUrlAceQuery { huaqSecurityPrincipal = 1, huaqRights };
+
+/******************************************************************
+ SchedHttpUrlReservations - immediate custom action worker to 
+   prepare configuring URL reservations.
+
+********************************************************************/
+static UINT SchedHttpUrlReservations(
+    __in MSIHANDLE hInstall,
+    __in WCA_TODO todoSched
+    )
+{
+    HRESULT hr = S_OK;
+    UINT er = ERROR_SUCCESS;
+    BOOL fAceTableExists = FALSE;
+    BOOL fHttpInitialized = FALSE;
+    DWORD cUrlReservations = 0;
+
+    PMSIHANDLE hView = NULL;
+    PMSIHANDLE hRec = NULL;
+    PMSIHANDLE hQueryReq = NULL;
+    PMSIHANDLE hAceView = NULL;
+
+    LPWSTR sczCustomActionData = NULL;
+    LPWSTR sczRollbackCustomActionData = NULL;
+
+    LPWSTR sczId = NULL;
+    LPWSTR sczComponent = NULL;
+    WCA_TODO todoComponent = WCA_TODO_UNKNOWN;
+    LPWSTR sczUrl = NULL;
+    LPWSTR sczSecurityPrincipal = NULL;
+    int iRights = 0;
+    int iHandleExisting = 0;
+
+    LPWSTR sczExistingSDDL = NULL;
+    LPWSTR sczSDDL = NULL;
+
+    // Initialize.
+    hr = WcaInitialize(hInstall, "SchedHttpUrlReservations");
+    ExitOnFailure(hr, "Failed to initialize.");
+
+    // Anything to do?
+    hr = WcaTableExists(L"Wix4HttpUrlReservation");
+    ExitOnFailure(hr, "Failed to check if the Wix4HttpUrlReservation table exists.");
+    if (S_FALSE == hr)
+    {
+        WcaLog(LOGMSG_STANDARD, "Wix4HttpUrlReservation table doesn't exist, so there are no URL reservations to configure.");
+        ExitFunction();
+    }
+
+    hr = WcaTableExists(L"Wix4HttpUrlAce");
+    ExitOnFailure(hr, "Failed to check if the Wix4HttpUrlAce table exists.");
+    fAceTableExists = S_OK == hr;
+
+    // Query and loop through all the URL reservations.
+    hr = WcaOpenExecuteView(vcsHttpUrlReservationQuery, &hView);
+    ExitOnFailure(hr, "Failed to open view on the Wix4HttpUrlReservation table.");
+
+    hr = HRESULT_FROM_WIN32(::HttpInitialize(vcHttpVersion, vcHttpFlags, NULL));
+    ExitOnFailure(hr, "Failed to initialize HTTP Server configuration.");
+
+    fHttpInitialized = TRUE;
+
+    while (S_OK == (hr = WcaFetchRecord(hView, &hRec)))
+    {
+        hr = WcaGetRecordString(hRec, hurqId, &sczId);
+        ExitOnFailure(hr, "Failed to get Wix4HttpUrlReservation.Wix4HttpUrlReservation");
+
+        hr = WcaGetRecordString(hRec, hurqComponent, &sczComponent);
+        ExitOnFailure(hr, "Failed to get Wix4HttpUrlReservation.Component_");
+
+        // Figure out what we're doing for this reservation, treating reinstall the same as install.
+        todoComponent = WcaGetComponentToDo(sczComponent);
+        if ((WCA_TODO_REINSTALL == todoComponent ? WCA_TODO_INSTALL : todoComponent) != todoSched)
+        {
+            WcaLog(LOGMSG_STANDARD, "Component '%ls' action state (%d) doesn't match request (%d) for UrlReservation '%ls'.", sczComponent, todoComponent, todoSched, sczId);
+            continue;
+        }
+
+        hr = WcaGetRecordFormattedString(hRec, hurqUrl, &sczUrl);
+        ExitOnFailure(hr, "Failed to get Wix4HttpUrlReservation.Url");
+
+        hr = WcaGetRecordInteger(hRec, hurqHandleExisting, &iHandleExisting);
+        ExitOnFailure(hr, "Failed to get Wix4HttpUrlReservation.HandleExisting");
+
+        if (::MsiRecordIsNull(hRec, hurqSDDL))
+        {
+            hr = StrAllocString(&sczSDDL, L"D:", 2);
+            ExitOnFailure(hr, "Failed to allocate SDDL string.");
+
+            // Skip creating the SDDL on uninstall, since it's never used and the lookup(s) could fail.
+            if (fAceTableExists && WCA_TODO_UNINSTALL != todoComponent)
+            {
+                hQueryReq = ::MsiCreateRecord(1);
+                hr = WcaSetRecordString(hQueryReq, 1, sczId);
+                ExitOnFailure(hr, "Failed to create record for querying Wix4HttpUrlAce table for reservation %ls", sczId);
+
+                hr = WcaOpenView(vcsHttpUrlAceQuery, &hAceView);
+                ExitOnFailure(hr, "Failed to open view on Wix4HttpUrlAce table for reservation %ls", sczId);
+                hr = WcaExecuteView(hAceView, hQueryReq);
+                ExitOnFailure(hr, "Failed to execute view on Wix4HttpUrlAce table for reservation %ls", sczId);
+
+                while (S_OK == (hr = WcaFetchRecord(hAceView, &hRec)))
+                {
+                    hr = WcaGetRecordFormattedString(hRec, huaqSecurityPrincipal, &sczSecurityPrincipal);
+                    ExitOnFailure(hr, "Failed to get Wix4HttpUrlAce.SecurityPrincipal");
+
+                    hr = WcaGetRecordInteger(hRec, huaqRights, &iRights);
+                    ExitOnFailure(hr, "Failed to get Wix4HttpUrlAce.Rights");
+
+                    hr = AppendUrlAce(sczSecurityPrincipal, iRights, &sczSDDL);
+                    ExitOnFailure(hr, "Failed to append URL ACE.");
+                }
+
+                if (E_NOMOREITEMS == hr)
+                {
+                    hr = S_OK;
+                }
+                ExitOnFailure(hr, "Failed to enumerate selected rows from Wix4HttpUrlAce table.");
+            }
+        }
+        else
+        {
+            hr = WcaGetRecordFormattedString(hRec, hurqSDDL, &sczSDDL);
+            ExitOnFailure(hr, "Failed to get Wix4HttpUrlReservation.SDDL");
+        }
+
+        hr = GetUrlReservation(sczUrl, &sczExistingSDDL);
+        ExitOnFailure(hr, "Failed to get the existing SDDL for %ls", sczUrl);
+
+        hr = WriteHttpUrlReservation(todoComponent, sczUrl, sczExistingSDDL ? sczExistingSDDL : L"", iHandleExisting, &sczRollbackCustomActionData);
+        ExitOnFailure(hr, "Failed to write URL Reservation to rollback custom action data.");
+
+        hr = WriteHttpUrlReservation(todoComponent, sczUrl, sczSDDL, iHandleExisting, &sczCustomActionData);
+        ExitOnFailure(hr, "Failed to write URL reservation to custom action data.");
+        ++cUrlReservations;
+    }
+
+    // Reaching the end of the list is not an error.
+    if (E_NOMOREITEMS == hr)
+    {
+        hr = S_OK;
+    }
+    ExitOnFailure(hr, "Failure occurred while processing Wix4HttpUrlReservation table.");
+
+    // Schedule ExecHttpUrlReservations if there's anything to do.
+    if (cUrlReservations)
+    {
+        WcaLog(LOGMSG_STANDARD, "Scheduling URL reservations (%ls)", sczCustomActionData);
+        WcaLog(LOGMSG_STANDARD, "Scheduling rollback URL reservations (%ls)", sczRollbackCustomActionData);
+
+        if (WCA_TODO_INSTALL == todoSched)
+        {
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixRollbackHttpUrlReservationsInstall"), sczRollbackCustomActionData, cUrlReservations * COST_HTTP_URL_ACL);
+            ExitOnFailure(hr, "Failed to schedule install URL reservations rollback.");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixExecHttpUrlReservationsInstall"), sczCustomActionData, cUrlReservations * COST_HTTP_URL_ACL);
+            ExitOnFailure(hr, "Failed to schedule install URL reservations execution.");
+        }
+        else
+        {
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixRollbackHttpUrlReservationsUninstall"), sczRollbackCustomActionData, cUrlReservations * COST_HTTP_URL_ACL);
+            ExitOnFailure(hr, "Failed to schedule uninstall URL reservations rollback.");
+            hr = WcaDoDeferredAction(CUSTOM_ACTION_DECORATION(L"WixExecHttpUrlReservationsUninstall"), sczCustomActionData, cUrlReservations * COST_HTTP_URL_ACL);
+            ExitOnFailure(hr, "Failed to schedule uninstall URL reservations execution.");
+        }
+    }
+    else
+    {
+        WcaLog(LOGMSG_STANDARD, "No URL reservations scheduled.");
+    }
+
+LExit:
+    ReleaseStr(sczSDDL);
+    ReleaseStr(sczExistingSDDL);
+    ReleaseStr(sczSecurityPrincipal);
+    ReleaseStr(sczUrl)
+    ReleaseStr(sczComponent);
+    ReleaseStr(sczId);
+    ReleaseStr(sczRollbackCustomActionData);
+    ReleaseStr(sczCustomActionData);
+
+    if (fHttpInitialized)
+    {
+        ::HttpTerminate(vcHttpFlags, NULL);
+    }
+
+    return WcaFinalize(er = FAILED(hr) ? ERROR_INSTALL_FAILURE : er);
+}
+
+static HRESULT AppendUrlAce(
+    __in LPWSTR wzSecurityPrincipal,
+    __in int iRights,
+    __in LPWSTR* psczSDDL
+    )
+{
+    HRESULT hr = S_OK;
+    LPCWSTR wzSid = NULL;
+    LPWSTR sczSid = NULL;
+
+    Assert(wzSecurityPrincipal && *wzSecurityPrincipal);
+    Assert(psczSDDL && *psczSDDL);
+
+    // As documented in the xsd, if the first char is '*', then the rest of the string is a SID string, e.g. *S-1-5-18.
+    if (L'*' == wzSecurityPrincipal[0])
+    {
+        wzSid = &wzSecurityPrincipal[1];
+    }
+    else
+    {
+        hr = AclGetAccountSidStringEx(NULL, wzSecurityPrincipal, &sczSid);
+        ExitOnFailure(hr, "Failed to lookup the SID for account %ls", wzSecurityPrincipal);
+
+        wzSid = sczSid;
+    }
+
+    hr = StrAllocFormatted(psczSDDL, L"%ls(A;;%#x;;;%ls)", *psczSDDL, iRights, wzSid);
+
+LExit:
+    ReleaseStr(sczSid);
+
+    return hr;
+}
+
+static HRESULT WriteHttpUrlReservation(
+    __in WCA_TODO action,
+    __in LPWSTR wzUrl,
+    __in LPWSTR wzSDDL,
+    __in int iHandleExisting,
+    __in LPWSTR* psczCustomActionData
+    )
+{
+    HRESULT hr = S_OK;
+
+    hr = WcaWriteIntegerToCaData(action, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write action to custom action data.");
+
+    hr = WcaWriteStringToCaData(wzUrl, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write URL to custom action data.");
+
+    hr = WcaWriteStringToCaData(wzSDDL, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write SDDL to custom action data.");
+
+    hr = WcaWriteIntegerToCaData(iHandleExisting, psczCustomActionData);
+    ExitOnFailure(hr, "Failed to write HandleExisting to custom action data.")
+
+LExit:
+    return hr;
+}
+
+/******************************************************************
+ SchedHttpUrlReservationsInstall - immediate custom action entry
+   point to prepare adding URL reservations.
+
+********************************************************************/
+extern "C" UINT __stdcall SchedHttpUrlReservationsInstall(
+    __in MSIHANDLE hInstall
+    )
+{
+    return SchedHttpUrlReservations(hInstall, WCA_TODO_INSTALL);
+}
+
+/******************************************************************
+ SchedHttpUrlReservationsUninstall - immediate custom action entry
+   point to prepare removing URL reservations.
+
+********************************************************************/
+extern "C" UINT __stdcall SchedHttpUrlReservationsUninstall(
+    __in MSIHANDLE hInstall
+    )
+{
+    return SchedHttpUrlReservations(hInstall, WCA_TODO_UNINSTALL);
+}
+
+/******************************************************************
+ ExecHttpUrlReservations - deferred custom action entry point to 
+   register and remove URL reservations.
+
+********************************************************************/
+extern "C" UINT __stdcall ExecHttpUrlReservations(
+    __in MSIHANDLE hInstall
+    )
+{
+    HRESULT hr = S_OK;
+    BOOL fHttpInitialized = FALSE;
+    LPWSTR sczCustomActionData = NULL;
+    LPWSTR wz = NULL;
+    int iTodo = WCA_TODO_UNKNOWN;
+    LPWSTR sczUrl = NULL;
+    LPWSTR sczSDDL = NULL;
+    eHandleExisting handleExisting = heIgnore;
+    BOOL fRollback = ::MsiGetMode(hInstall, MSIRUNMODE_ROLLBACK);
+    BOOL fRemove = FALSE;
+    BOOL fAdd = FALSE;
+    BOOL fFailOnExisting = FALSE;
+
+    // Initialize.
+    hr = WcaInitialize(hInstall, "ExecHttpUrlReservations");
+    ExitOnFailure(hr, "Failed to initialize.");
+
+    hr = HRESULT_FROM_WIN32(::HttpInitialize(vcHttpVersion, vcHttpFlags, NULL));
+    ExitOnFailure(hr, "Failed to initialize HTTP Server configuration.");
+
+    fHttpInitialized = TRUE;
+
+    hr = WcaGetProperty(L"CustomActionData", &sczCustomActionData);
+    ExitOnFailure(hr, "Failed to get CustomActionData.");
+    WcaLog(LOGMSG_TRACEONLY, "CustomActionData: %ls", sczCustomActionData);
+
+    if (!sczCustomActionData || !*sczCustomActionData)
+    {
+        WcaLog(LOGMSG_STANDARD, "No URL reservations to be executed.");
+    }
+
+    wz = sczCustomActionData;
+    while (wz && *wz)
+    {
+        // Extract the custom action data and if rolling back, swap INSTALL and UNINSTALL.
+        hr = WcaReadIntegerFromCaData(&wz, &iTodo);
+        ExitOnFailure(hr, "Failed to read todo from custom action data.");
+
+        hr = WcaReadStringFromCaData(&wz, &sczUrl);
+        ExitOnFailure(hr, "Failed to read Url from custom action data.");
+
+        hr = WcaReadStringFromCaData(&wz, &sczSDDL);
+        ExitOnFailure(hr, "Failed to read SDDL from custom action data.");
+
+        hr = WcaReadIntegerFromCaData(&wz, reinterpret_cast<int*>(&handleExisting));
+        ExitOnFailure(hr, "Failed to read HandleExisting from custom action data.");
+
+        switch (iTodo)
+        {
+        case WCA_TODO_INSTALL:
+        case WCA_TODO_REINSTALL:
+            fRemove = heReplace == handleExisting || fRollback;
+            fAdd = !fRollback || *sczSDDL;
+            fFailOnExisting = heFail == handleExisting && !fRollback;
+            break;
+
+        case WCA_TODO_UNINSTALL:
+            fRemove = !fRollback;
+            fAdd = fRollback && *sczSDDL;
+            fFailOnExisting = FALSE;
+            break;
+        }
+
+        if (fRemove)
+        {
+            WcaLog(LOGMSG_STANDARD, "Removing reservation for URL '%ls'", sczUrl);
+            hr = RemoveUrlReservation(sczUrl);
+            if (FAILED(hr))
+            {
+                if (fRollback)
+                {
+                    WcaLogError(hr, "Failed to remove reservation for rollback for URL '%ls'", sczUrl);
+                }
+                else
+                {
+                    ExitOnFailure(hr, "Failed to remove reservation for URL '%ls'", sczUrl);
+                }
+            }
+        }
+
+        if (fAdd)
+        {
+            WcaLog(LOGMSG_STANDARD, "Adding reservation for URL '%ls' with SDDL '%ls'", sczUrl, sczSDDL);
+            hr = AddUrlReservation(sczUrl, sczSDDL);
+            if (S_FALSE == hr && fFailOnExisting)
+            {
+                hr = HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS);
+            }
+            if (FAILED(hr))
+            {
+                if (fRollback)
+                {
+                    WcaLogError(hr, "Failed to add reservation for rollback for URL '%ls' with SDDL '%ls'", sczUrl, sczSDDL);
+                }
+                else
+                {
+                    ExitOnFailure(hr, "Failed to add reservation for URL '%ls' with SDDL '%ls'", sczUrl, sczSDDL);
+                }
+            }
+        }
+    }
+
+LExit:
+    ReleaseStr(sczSDDL);
+    ReleaseStr(sczUrl);
+    ReleaseStr(sczCustomActionData);
+
+    if (fHttpInitialized)
+    {
+        ::HttpTerminate(vcHttpFlags, NULL);
+    }
+
+    return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
+}
+
+static HRESULT AddUrlReservation(
+    __in LPWSTR wzUrl,
+    __in LPWSTR wzSddl
+    )
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_URLACL_SET set = { };
+
+    set.KeyDesc.pUrlPrefix = wzUrl;
+    set.ParamDesc.pStringSecurityDescriptor = wzSddl;
+
+    er = ::HttpSetServiceConfiguration(NULL, HttpServiceConfigUrlAclInfo, &set, sizeof(set), NULL);
+    if (ERROR_ALREADY_EXISTS == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+    ExitOnFailure(hr, "Failed to add URL reservation: %ls, ACL: %ls", wzUrl, wzSddl);
+
+LExit:
+    return hr;
+}
+
+static HRESULT GetUrlReservation(
+    __in LPWSTR wzUrl,
+    __deref_out_z LPWSTR* psczSddl
+    )
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_URLACL_QUERY query = { };
+    HTTP_SERVICE_CONFIG_URLACL_SET* pSet = NULL;
+    ULONG cbSet = 0;
+
+    query.QueryDesc = HttpServiceConfigQueryExact;
+    query.KeyDesc.pUrlPrefix = wzUrl;
+
+    er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigUrlAclInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
+    if (ERROR_INSUFFICIENT_BUFFER == er)
+    {
+        pSet = reinterpret_cast<HTTP_SERVICE_CONFIG_URLACL_SET*>(MemAlloc(cbSet, TRUE));
+        ExitOnNull(pSet, hr, E_OUTOFMEMORY, "Failed to allocate query URLACL buffer.");
+
+        er = ::HttpQueryServiceConfiguration(NULL, HttpServiceConfigUrlAclInfo, &query, sizeof(query), pSet, cbSet, &cbSet, NULL);
+    }
+    
+    if (ERROR_SUCCESS == er)
+    {
+        hr = StrAllocString(psczSddl, pSet->ParamDesc.pStringSecurityDescriptor, 0);
+    }
+    else if (ERROR_FILE_NOT_FOUND == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+
+LExit:
+    ReleaseMem(pSet);
+
+    return hr;
+}
+
+static HRESULT RemoveUrlReservation(
+    __in LPWSTR wzUrl
+    )
+{
+    HRESULT hr = S_OK;
+    DWORD er = ERROR_SUCCESS;
+    HTTP_SERVICE_CONFIG_URLACL_SET set = { };
+
+    set.KeyDesc.pUrlPrefix = wzUrl;
+
+    er = ::HttpDeleteServiceConfiguration(NULL, HttpServiceConfigUrlAclInfo, &set, sizeof(set), NULL);
+    if (ERROR_FILE_NOT_FOUND == er)
+    {
+        hr = S_FALSE;
+    }
+    else
+    {
+        hr = HRESULT_FROM_WIN32(er);
+    }
+    ExitOnFailure(hr, "Failed to remove URL reservation: %ls", wzUrl);
+
+LExit:
+    return hr;
+}
diff --git a/src/ext/Http/ca/wixhttpca.def b/src/ext/Http/ca/wixhttpca.def
new file mode 100644
index 00000000..281c5631
--- /dev/null
+++ b/src/ext/Http/ca/wixhttpca.def
@@ -0,0 +1,12 @@
+; Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+
+LIBRARY      "httpca"
+
+EXPORTS
+        SchedHttpUrlReservationsInstall
+        SchedHttpUrlReservationsUninstall
+        ExecHttpUrlReservations
+        SchedHttpSniSslCertsInstall
+        SchedHttpSniSslCertsUninstall
+        ExecHttpSniSslCerts