%3CLINGO-SUB%20id%3D%22lingo-sub-582708%22%20slang%3D%22en-US%22%3ECentralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-582708%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20IIS8%2C%20CCS%20(Centralized%20Certificate%20Store)%20feature%20can%20be%20used%20to%20pick%20up%20website%20certificates%20from%20a%20network%20share.%20It%20makes%20certificate%20management%20a%20lot%20easier%20from%20a%20single%20store%20instead%20of%20managing%20them%20in%20every%20server%E2%80%99s%20local%20certificate%20stores.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20steps%20to%20start%20using%20CCS%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EConfigure%20IIS%20to%20use%20CCS%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EAdd%20an%20IIS%20binding%20to%20your%20website%20(You%20can%20use%20IIS%20Manager%20or%20PowerShell)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%3EConfigure%20IIS%20to%20use%20CCS%3C%2FH2%3E%0A%3CP%3EInstall%20CCS%20feature%20via%20Server%20Manager%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20548px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114177iD99896423520FEB7%2Fimage-dimensions%2F548x387%3Fv%3D1.0%22%20width%3D%22548%22%20height%3D%22387%22%20alt%3D%222.png%22%20title%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20the%20installation%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EOpen%20IIS%20Manager.%20Click%20the%20server%20name%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EDouble%20click%20on%20%E2%80%9C%3CSTRONG%3ECentralized%20Certificates%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EClick%20%E2%80%9C%3CSTRONG%3EEdit%20Feature%20Settings%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EFill%20out%20the%20settings%3A%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EPhysical%20path%20(most%20commonly%20a%20network%20share)%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EUsername%20and%20password%20to%20access%20to%20this%20path%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ECertificates%20private%20key%20password%20(if%20required)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20573px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114178iB8D888355E0D2517%2Fimage-dimensions%2F573x358%3Fv%3D1.0%22%20width%3D%22573%22%20height%3D%22358%22%20alt%3D%223.png%22%20title%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAfter%20clicking%20%E2%80%9COK%E2%80%9D%2C%20IIS%20reads%20the%20certificates%20from%20the%20path%20and%20populates%20the%20information%20about%20the%20certificates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIIS%20determines%20which%20certificate%20is%20associated%20with%20which%20website%20by%20using%20the%20naming%20convention%20(%3CCODE%3E%3CSUBJECT%20name%3D%22%22%20of%3D%22%22%20a%3D%22%22%20certificate%3D%22%22%3E.pfx%3C%2FSUBJECT%3E%3C%2FCODE%3E%3A(%3C%2Fimg%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20the%20subject%20name%20is%20%3CA%20href%3D%22http%3A%2F%2Fwww.contoso.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.contoso.com%3C%2FA%3E%2C%20IIS%20looks%20for%20%3CCODE%3E%3CA%20href%3D%22http%3A%2F%2Fwww.contoso.com.pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.contoso.com.pfx%3C%2FA%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20there%20is%20no%20match%2C%20it%20looks%20for%20a%20wildcard%20certificate%20with%20this%20name%3A%20%3CCODE%3E_.contoso.com.pfx%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20there%20are%20Subject%20Alternative%20Names%20(SANs)%2C%20the%20file%20names%20should%20be%20%3CCODE%3E%3CA%20href%3D%22http%3A%2F%2Fwww.contoso1.com.pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.contoso1.com.pfx%3C%2FA%3E%3C%2FCODE%3E%20and%20%3CCODE%3E%3CA%20href%3D%22http%3A%2F%2Fwww.contoso2.com.pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.contoso2.com.pfx%3C%2FA%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIIS%20stores%20the%20CCS%20configuration%20in%20registry%3A%20%3CCODE%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CIIS%5CCentralCertProvider%3C%2FCODE%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%3EAdd%20an%20IIS%20binding%3C%2FH2%3E%0A%3CP%3E%3CSTRONG%3EAdd%20an%20IIS%20binding%20by%20using%20IIS%20Manager%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EGo%20to%20IIS%20Manager.%20Select%20the%20website%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EClick%20%E2%80%9C%3CSTRONG%3EBindings%E2%80%A6%3C%2FSTRONG%3E%E2%80%9D.%20Click%20%E2%80%9C%3CSTRONG%3EAdd%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ESelect%20%E2%80%9C%3CSTRONG%3Ehttps%3C%2FSTRONG%3E%E2%80%9D%20as%20the%20%E2%80%9C%3CSTRONG%3EType%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ECheck%20%E2%80%9C%3CSTRONG%3EUse%20Centralized%20Certificate%20Store%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20577px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114179i2C478484097CD954%2Fimage-dimensions%2F577x261%3Fv%3D1.0%22%20width%3D%22577%22%20height%3D%22261%22%20alt%3D%224.png%22%20title%3D%224.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdd%20an%20IIS%20binding%20by%20using%20PowerShell%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ERun%20the%20commands%20below.%3C%2FP%3E%0A%3CP%3E%3CCODE%3ENew-WebBinding%20-Name%20%22Default%20Web%20Site%22%20-sslFlags%203%20-Protocol%20https%20-IP%20*%20-Port%20443%20-HostHeader%20(%22localhost%22)%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%3CCODE%3ENew-Item%20-Path%20%22IIS%3A%5CSslBindings%5C!443!localhost%22%20-sslFlags%203%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20meanings%20of%20the%20%3CCODE%3EsslFlags%3C%2FCODE%3E%20parameter%3A%3C%2FP%3E%0A%3CTABLE%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EsslFlags%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EUse%20CCS%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EUse%20SNI%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20does%20not%20use%20SNI%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20uses%20SNI%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20does%20not%20use%20SNI%2C%20but%20uses%20Central%20Certificate%20Store%20(The%20hostname%20for%20certificate%20lookup%20is%20determined%20based%20on%20the%20binding%20information%20in%20Applicationhost.config)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E3%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20uses%20both%20SNI%20and%20Central%20Certificate%20Store%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIIS%20stores%20the%20binding%20information%20in%20Registry%3A%20%3CCODE%3EHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CHTTP%5CParameters%5CSslBindingInfo%3C%2FCODE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-582708%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAfter%20IIS8%2C%20CCS%20(Centralized%20Certificate%20Store)%20feature%20can%20be%20used%20to%20pick%20up%20website%20certificates%20from%20a%20network%20share.%20It%20makes%20certificate%20management%20a%20lot%20easier%20from%20a%20single%20store%20instead%20of%20managing%20them%20in%20every%20server%E2%80%99s%20local%20certificate%20stores.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-582708%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECentralized%20Certificate%20Store%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIIS%20bindings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1755142%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1755142%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20set-up%20a%20centralized%20certificate%20store%20so%20I%20can%20host%20two%20URLs%20from%20my%20server%20%22cawl.nau.edu%22%20and%20payment.mpcer.nau.edu%22%26nbsp%3B%20I%20installed%20and%20enabled%20the%20feature%2C%20created%20pfx%20fils%20for%20my%20certificates%20and%20imported%20them%20with%20the%20names%20%22cawl.nau.ed.pfx%22%20and%20%22payment.mpcer.nau.edu.pfx%22.%26nbsp%3B%20When%20I%20open%20centralized%20certificated%20the%20both%20appear%2C%20but%20do%20not%20show%20any%20details.%26nbsp%3B%20When%20I%20try%20to%20bind%20them%20using%20the%20centralized%20store%20using%20the%20bindings%20manager%2C%20neither%20seems%20to%20be%20applied.%26nbsp%3B%20When%20trying%20to%20visit%20either%20site%20I%20get%20a%20%22PR_CONNECT_RESET%22%20error.%26nbsp%3B%20If%20I%20go%26nbsp%3B%20back%20into%20the%20bindings%20manager%2C%20I%20can%20choose%20SNI%2C%20unclick%20centralized%20store%20and%20then%20choose%20to%20bind%20the%20certificates%20in%20the%20SSL%20certificate%20drop%20down.%26nbsp%3B%20If%20I%20rebind%20in%20this%20manner%20the%20payment.mpcer.nau.edu%20site%20works%20fine%2C%20but%20cawl.nau.edu%20still%20produces%20the%20%22PR_CONNECT_RESET_ERROR%22.%26nbsp%3B%20Can%20you%20tell%20what%20I%20am%20doing%20wrong%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1755212%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1755212%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F823876%22%20target%3D%22_blank%22%3E%40Paul_Heinrich%3C%2FA%3E%2C%20after%20you%20set%20up%20CCS%20and%20browse%20the%20site%2C%20which%20certificate%20shows%20up%3F%20(in%20the%20window%20you%20see%26nbsp%3B%3CSPAN%3EPR_CONNECT_RESET%20error).%20Is%20it%20certificate%20you%20put%20in%20CCS%20path%3F%20or%20there%20is%20no%20certificate%20at%20all%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EJust%20to%20make%20sure%20changes%20are%20effective%20right%20away%2C%20please%20reset%20IIS%20and%20clear%20browser%20cache%20after%20enabling%20CCS.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1755312%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1755312%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20solved%20part%20of%20the%20problem.%26nbsp%3B%20Once%20I%20noticed%20that%20in%20the%20centralized%20certificate%20store%20the%20certs%20had%20a%20red%20x%20icon%2C%20I%20realized%20that%20they%20had%20a%20%22incorrect%20private%20key%22%20message.%26nbsp%3B%20I%20was%20able%20to%20edit%20the%20settings%20for%20each%20certificate%20adding%20the%20private%20key%20password%20I%20created%20when%20I%20converted%20the%20certificates%20to%20pfx%20format.%20They%20now%20show%20without%20the%20red%20x%20and%20include%20all%20of%20the%20proper%20attributes%20and%20I%20can%20view%20the%20certificates%20details%20by%20clicking%20%22view%22%20on%20the%20right%20side%20panel.%26nbsp%3B%20So%20it%20looks%20like%20I%20have%20working%20certificates%20in%20the%20centralized%20store.%26nbsp%3B%20Now%20if%20I%20can%20get%20them%20to%20bind%20properly..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1755458%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1755458%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Nedim%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cleared%20the%20cache%20on%20my%20browser%20after%20restarting%20IIS%20on%20the%20server.%26nbsp%3B%20At%20this%20point%20I%20have%20the%20two%20sites%20set%20to%20use%20the%20centralized%20store%20and%20SNI.%26nbsp%3B%20One%20site%20payment.mpcer.nau.edu%20is%20working.%26nbsp%3B%20I%20can%20connect%20and%20it%20shows%20as%20a%20secure%20connection.%26nbsp%3B%20However%20the%20other%20site%20cawl.nau.edu%20is%20not%20working.%26nbsp%3B%20I%20cannot%20connect%20to%20it%20using%20SSL%2C%20but%20my%20non-ssl%20binding%20is%20working%20(%3CA%20href%3D%22http%3A%2F%2Fcawl.nau.edu%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fcawl.nau.edu%3C%2FA%3E)..%26nbsp%3B%20I'm%20using%20the%20naming%20convention%20suggested%20in%20the%20article%20where%20my%20certificates%20have%20the%20exact%20same%20spelling%20as%20the%20domain%20names%20(i.e.%20cawl.nau.edu.pfx)%20and%20the%20certificates%20in%20the%20store%20look%20good%20(names%20are%20the%20same%20and%20all%20of%20the%20attributes%20now%20show%20up).%26nbsp%3B%20It%20seems%20like%20IIS%20isn't%20finding%20the%20certificate%20for%20cawl.nau.edu..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Echeers%2C%26nbsp%3B%20Paul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1756227%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1756227%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Nedim%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20answer%20your%20question%2C%20it%20looks%20like%20no%20certificate%20shows%20up.%26nbsp%3B%20My%20browser%20(on%20a%20laptop)%20just%20throws%20the%20%22PR_CONNECT_RESET_ERROR%22%20which%20seems%20to%20be%20a%20generic%20bad%20certificate%20error.%26nbsp%3B%20If%20I%20try%20%3CA%20href%3D%22https%3A%2F%2Fwww.digicert.com%2Fhelp%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.digicert.com%2Fhelp%2F%3C%2FA%3E%20against%20the%20cawl.nau.edu%20URL%20I%20just%20get%20a%20%22cannot%20connect%22.%26nbsp%3B%20If%20I%20try%20payment.mpcer.nau.edu%20I%20get%20a%20nice%20display%20of%20the%20full%20certificate.%26nbsp%3B%20Both%20sites%20are%20currently%20set%20up%20with%20bindings%20to%20the%20centralized%20certificate%20store.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1763972%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1763972%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F823876%22%20target%3D%22_blank%22%3E%40Paul_Heinrich%3C%2FA%3E%2C%20I%20think%20a%20remote%20session%20would%20speed%20up%20the%20troubleshooting%20of%20your%20server.%20Do%20you%20have%20a%20support%20contract%20with%20us%3F%20If%20you%20do%2C%20please%20create%20a%20case%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.serviceshub.microsoft.com%2Fsupportforbusiness%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.serviceshub.microsoft.com%2Fsupportforbusiness%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOtherwise%2C%20I%20would%20recommend%20creating%20a%20post%20in%20our%20IIS%20Forum.%20We%20have%20advocates%20who%20can%20follow%20and%20contribute%20to%20the%20topic%20continuously.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fforums.iis.net%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fforums.iis.net%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2056805%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2056805%22%20slang%3D%22en-US%22%3E%3CP%3EHey%2C%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20demo%20the%20usage%20of%20Central%20Certificate%20Store%20for%20our%20certificate%20automation.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20to%20use%20AD%20Integrated%20Azure%20Files%20as%20the%20backend%2C%20and%20have%20setup%20a%20Private%20Link%20to%20this%20share.%20I%20then%20discovered%20that%20CCS%20doesn't%20like%20it%20when%20the%20server%20and%20username%20are%20cross%20domains%2C%20so%20I%20have%20hidden%20this%20behind%20DFS.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EStorage%20Account%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Estorage.privatelink.core.windows.net%3C%2FP%3E%3CP%3E%3CSTRONG%3EDFS%20Root%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Edomain.local%5CCertificates%5C%3C%2FP%3E%3CP%3E%3CSTRONG%3EFolder%20target%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ECentralStore%3C%2FP%3E%3CP%3E%5C%5Cstorage.privatelink.core.windows.net%5CCentralStore%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ECCS%20target%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%5C%5Cdomain.local%5CCertificates%5CCentralStore%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20folder%20works%20fine%20if%20i%20browse%20to%20it%20in%20explorer%2C%20so%20the%20server%20itself%20can%20access%20it%2C%20and%20the%20credentials%20are%20good.%20But%20CCS%20with%20the%20supplied%20credentials%20cannot%20connect%20to%20it.%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20suggestions%20on%20how%20to%20get%20this%20working%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

After IIS8, CCS (Centralized Certificate Store) feature can be used to pick up website certificates from a network share. It makes certificate management a lot easier from a single store instead of managing them in every server’s local certificate stores.

 

There are two steps to start using CCS:

  1. Configure IIS to use CCS
  2. Add an IIS binding to your website (You can use IIS Manager or PowerShell)

 

Configure IIS to use CCS

Install CCS feature via Server Manager:

2.png

 

After the installation:

  1. Open IIS Manager. Click the server name
  2. Double click on “Centralized Certificates
  3. Click “Edit Feature Settings
  4. Fill out the settings:
    • Physical path (most commonly a network share)
    • Username and password to access to this path
    • Certificates private key password (if required)

3.png

After clicking “OK”, IIS reads the certificates from the path and populates the information about the certificates.

 

IIS determines which certificate is associated with which website by using the naming convention (<subject name of a certificate>.pfx:(

 

IIS stores the CCS configuration in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS\CentralCertProvider

 

Add an IIS binding

Add an IIS binding by using IIS Manager

  1. Go to IIS Manager. Select the website
  2. Click “Bindings…”. Click “Add
  3. Select “https” as the “Type
  4. Check “Use Centralized Certificate Store

4.png

Add an IIS binding by using PowerShell

Run the commands below.

New-WebBinding -Name "Default Web Site" -sslFlags 3 -Protocol https -IP * -Port 443 -HostHeader ("localhost")

New-Item -Path "IIS:\SslBindings\!443!localhost" -sslFlags 3

 

The meanings of the sslFlags parameter:

sslFlags

Description

Use CCS

Use SNI

0

SSL binding does not use SNI

0

0

1

SSL binding uses SNI

0

1

2

SSL binding does not use SNI, but uses Central Certificate Store (The hostname for certificate lookup is determined based on the binding information in Applicationhost.config)

1

0

3

SSL binding uses both SNI and Central Certificate Store

1

1

 

IIS stores the binding information in Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo

7 Comments
Occasional Visitor

Hello,

 

I'm trying to set-up a centralized certificate store so I can host two URLs from my server "cawl.nau.edu" and payment.mpcer.nau.edu"  I installed and enabled the feature, created pfx fils for my certificates and imported them with the names "cawl.nau.ed.pfx" and "payment.mpcer.nau.edu.pfx".  When I open centralized certificated the both appear, but do not show any details.  When I try to bind them using the centralized store using the bindings manager, neither seems to be applied.  When trying to visit either site I get a "PR_CONNECT_RESET" error.  If I go  back into the bindings manager, I can choose SNI, unclick centralized store and then choose to bind the certificates in the SSL certificate drop down.  If I rebind in this manner the payment.mpcer.nau.edu site works fine, but cawl.nau.edu still produces the "PR_CONNECT_RESET_ERROR".  Can you tell what I am doing wrong?

Microsoft

Hi @Paul_Heinrich, after you set up CCS and browse the site, which certificate shows up? (in the window you see PR_CONNECT_RESET error). Is it certificate you put in CCS path? or there is no certificate at all?

 

Just to make sure changes are effective right away, please reset IIS and clear browser cache after enabling CCS.

Occasional Visitor

Hello,

 

I solved part of the problem.  Once I noticed that in the centralized certificate store the certs had a red x icon, I realized that they had a "incorrect private key" message.  I was able to edit the settings for each certificate adding the private key password I created when I converted the certificates to pfx format. They now show without the red x and include all of the proper attributes and I can view the certificates details by clicking "view" on the right side panel.  So it looks like I have working certificates in the centralized store.  Now if I can get them to bind properly..

Occasional Visitor

Hello Nedim,

 

I cleared the cache on my browser after restarting IIS on the server.  At this point I have the two sites set to use the centralized store and SNI.  One site payment.mpcer.nau.edu is working.  I can connect and it shows as a secure connection.  However the other site cawl.nau.edu is not working.  I cannot connect to it using SSL, but my non-ssl binding is working (http://cawl.nau.edu)..  I'm using the naming convention suggested in the article where my certificates have the exact same spelling as the domain names (i.e. cawl.nau.edu.pfx) and the certificates in the store look good (names are the same and all of the attributes now show up).  It seems like IIS isn't finding the certificate for cawl.nau.edu..

 

cheers,  Paul

Occasional Visitor

Hi Nedim,

 

To answer your question, it looks like no certificate shows up.  My browser (on a laptop) just throws the "PR_CONNECT_RESET_ERROR" which seems to be a generic bad certificate error.  If I try https://www.digicert.com/help/ against the cawl.nau.edu URL I just get a "cannot connect".  If I try payment.mpcer.nau.edu I get a nice display of the full certificate.  Both sites are currently set up with bindings to the centralized certificate store.

Microsoft

Hi @Paul_Heinrich, I think a remote session would speed up the troubleshooting of your server. Do you have a support contract with us? If you do, please create a case: https://support.serviceshub.microsoft.com/supportforbusiness

 

Otherwise, I would recommend creating a post in our IIS Forum. We have advocates who can follow and contribute to the topic continuously.

https://forums.iis.net/

Regular Visitor

Hey,

I am trying to demo the usage of Central Certificate Store for our certificate automation. 

I am looking to use AD Integrated Azure Files as the backend, and have setup a Private Link to this share. I then discovered that CCS doesn't like it when the server and username are cross domains, so I have hidden this behind DFS. 

 

Storage Account:

storage.privatelink.core.windows.net

DFS Root

domain.local\Certificates\

Folder target

CentralStore

\\storage.privatelink.core.windows.net\CentralStore

 

CCS target

\\domain.local\Certificates\CentralStore

 

This folder works fine if i browse to it in explorer, so the server itself can access it, and the credentials are good. But CCS with the supplied credentials cannot connect to it. 

Does anyone have any suggestions on how to get this working?