Blog Post

IIS Support Blog
2 MIN READ

Centralized Certificate Store (CCS) and IIS bindings

Nedim's avatar
Nedim
Iron Contributor
May 17, 2019

After IIS8, CCS (Centralized Certificate Store) feature can be used to pick up website certificates from a network share. It makes certificate management a lot easier from a single store instead of managing them in every server’s local certificate stores.

 

There are two steps to start using CCS:

  1. Configure IIS to use CCS
  2. Add an IIS binding to your website (You can use IIS Manager or PowerShell)

 

Configure IIS to use CCS

Install CCS feature via Server Manager:

 

After the installation:

  1. Open IIS Manager. Click the server name
  2. Double click on “Centralized Certificates
  3. Click “Edit Feature Settings
  4. Fill out the settings:
    • Physical path (most commonly a network share)
    • Username and password to access to this path
    • Certificates private key password (if required)

After clicking “OK”, IIS reads the certificates from the path and populates the information about the certificates.

 

IIS determines which certificate is associated with which website by using the naming convention (<subject name of a certificate>.pfx):

 

IIS stores the CCS configuration in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS\CentralCertProvider

 

Add an IIS binding

Add an IIS binding by using IIS Manager

  1. Go to IIS Manager. Select the website
  2. Click “Bindings…”. Click “Add
  3. Select “https” as the “Type
  4. Check “Use Centralized Certificate Store

Add an IIS binding by using PowerShell

Run the commands below.

New-WebBinding -Name "Default Web Site" -sslFlags 3 -Protocol https -IP * -Port 443 -HostHeader ("localhost")

New-Item -Path "IIS:\SslBindings\!443!localhost" -sslFlags 3

 

The meanings of the sslFlags parameter:

sslFlags

Description

Use CCS

Use SNI

0

SSL binding does not use SNI

0

0

1

SSL binding uses SNI

0

1

2

SSL binding does not use SNI, but uses Central Certificate Store (The hostname for certificate lookup is determined based on the binding information in Applicationhost.config)

1

0

3

SSL binding uses both SNI and Central Certificate Store

1

1

 

IIS stores the binding information in Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo

Updated May 17, 2019
Version 2.0
Centralized Certificate Store
IIS bindings

12 Comments

Show More
  • Nedim's avatar
    Nedim
    Iron Contributor
    Oct 07, 2020

    Hi Paul_Heinrich, after you set up CCS and browse the site, which certificate shows up? (in the window you see PR_CONNECT_RESET error). Is it certificate you put in CCS path? or there is no certificate at all?

     

    Just to make sure changes are effective right away, please reset IIS and clear browser cache after enabling CCS.

  • Paul_Heinrich's avatar
    Paul_Heinrich
    Copper Contributor
    Oct 07, 2020

    Hello,

     

    I'm trying to set-up a centralized certificate store so I can host two URLs from my server "cawl.nau.edu" and payment.mpcer.nau.edu"  I installed and enabled the feature, created pfx fils for my certificates and imported them with the names "cawl.nau.ed.pfx" and "payment.mpcer.nau.edu.pfx".  When I open centralized certificated the both appear, but do not show any details.  When I try to bind them using the centralized store using the bindings manager, neither seems to be applied.  When trying to visit either site I get a "PR_CONNECT_RESET" error.  If I go  back into the bindings manager, I can choose SNI, unclick centralized store and then choose to bind the certificates in the SSL certificate drop down.  If I rebind in this manner the payment.mpcer.nau.edu site works fine, but cawl.nau.edu still produces the "PR_CONNECT_RESET_ERROR".  Can you tell what I am doing wrong?