Blog Post

IIS Support Blog
2 MIN READ

Centralized Certificate Store (CCS) and IIS bindings

Nedim's avatar
Nedim
Iron Contributor
May 17, 2019
After IIS8, CCS (Centralized Certificate Store) feature can be used to pick up website certificates from a network share. It makes certificate management a lot easier from a single store instead of m...
Updated May 17, 2019
Version 2.0
Centralized Certificate Store
IIS bindings
karl_sg's avatar
karl_sg
Copper Contributor
Jun 17, 2021

Hi,
I am experiencing some issue with CCS and VM automation in an Azure Scaleset.
Basically, I setup a Scaleset which points to two different file shares, one for IIS shared config and one for CCS, and an init powershell script which binds both to IIS.
I also set manually in the shared applicationHost.config file the sslFlags="3" parameter inside each SSL binding.
The script is working properly and when a new VM spins up I can see that both shared config and CSS working and if I check bindings they are properly configured, but if I try to browse a website I get the generic "PR_CONNECT_RESET_ERROR" error.
To solve this I have to manually go to "Edit Site Binding" from IIS Manager and disable and re enable "Use Centralized Certification Store" (as in the picture) and it suddenly start to works.
I see it refreshes the applicationHost.config file because the save date changes, but I compared before and after and no changes were done (so it basically re applies what it already had).

 

I am really struggling with this, I also tried to perform an IISreset after the execution of the script, but without luck, do you have any idea on how to fix?

 

EDIT: I post the solution, in case it could be helpful for someone else. The problem was that it is not enough to enable the Centralized SSL and have the correct bindings already inside the ApplicationHost.config and hosts file, each time a new server comes up it is necessary to bind also the HTTP.SYS.
The solution was to add to my init script the update of a fake binding to remap everything:

import-module WebAdministration
Get-Website -Name "Default Web Site" | Get-WebBinding -Protocol "https" -HostHeader "TestSite" | Remove-WebBinding
new-WebBinding -Name "Default Web Site" -Port 443 -SslFlags 3 -Protocol https -HostHeader "TestSite" # this recreate the test binding on IIS
New-Item -Path "IIS:\SslBindings\!443!TestSite" -sslFlags 3 # this binds HTTP.SYS
netsh http show sslcert


now my automation works perfectly, once the bind is created all the existing bindings works with the proper SSL certificate.

 

 


Cheers,
Carlo Alberto