%3CLINGO-SUB%20id%3D%22lingo-sub-582708%22%20slang%3D%22en-US%22%3ECentralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-582708%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20IIS8%2C%20CCS%20(Centralized%20Certificate%20Store)%20feature%20can%20be%20used%20to%20pick%20up%20website%20certificates%20from%20a%20network%20share.%20It%20makes%20certificate%20management%20a%20lot%20easier%20from%20a%20single%20store%20instead%20of%20managing%20them%20in%20every%20server%E2%80%99s%20local%20certificate%20stores.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20steps%20to%20start%20using%20CCS%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EConfigure%20IIS%20to%20use%20CCS%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EAdd%20an%20IIS%20binding%20to%20your%20website%20(You%20can%20use%20IIS%20Manager%20or%20PowerShell)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%3EConfigure%20IIS%20to%20use%20CCS%3C%2FH2%3E%0A%3CP%3EInstall%20CCS%20feature%20via%20Server%20Manager%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20548px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114177iD99896423520FEB7%2Fimage-dimensions%2F548x387%3Fv%3D1.0%22%20width%3D%22548%22%20height%3D%22387%22%20alt%3D%222.png%22%20title%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20the%20installation%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EOpen%20IIS%20Manager.%20Click%20the%20server%20name%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EDouble%20click%20on%20%E2%80%9C%3CSTRONG%3ECentralized%20Certificates%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EClick%20%E2%80%9C%3CSTRONG%3EEdit%20Feature%20Settings%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EFill%20out%20the%20settings%3A%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EPhysical%20path%20(most%20commonly%20a%20network%20share)%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EUsername%20and%20password%20to%20access%20to%20this%20path%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ECertificates%20private%20key%20password%20(if%20required)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20573px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114178iB8D888355E0D2517%2Fimage-dimensions%2F573x358%3Fv%3D1.0%22%20width%3D%22573%22%20height%3D%22358%22%20alt%3D%223.png%22%20title%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAfter%20clicking%20%E2%80%9COK%E2%80%9D%2C%20IIS%20reads%20the%20certificates%20from%20the%20path%20and%20populates%20the%20information%20about%20the%20certificates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIIS%20determines%20which%20certificate%20is%20associated%20with%20which%20website%20by%20using%20the%20naming%20convention%20(%3CCODE%3E%3CSUBJECT%20name%3D%22%22%20of%3D%22%22%20a%3D%22%22%20certificate%3D%22%22%3E.pfx%3C%2FSUBJECT%3E%3C%2FCODE%3E%3A(%3C%2Fimg%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20the%20subject%20name%20is%20%3CA%20href%3D%22http%3A%2F%2Fwww.contoso.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.contoso.com%3C%2FA%3E%2C%20IIS%20looks%20for%20%3CCODE%3E%3CA%20href%3D%22http%3A%2F%2Fwww.contoso.com.pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.contoso.com.pfx%3C%2FA%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20there%20is%20no%20match%2C%20it%20looks%20for%20a%20wildcard%20certificate%20with%20this%20name%3A%20%3CCODE%3E_.contoso.com.pfx%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20there%20are%20Subject%20Alternative%20Names%20(SANs)%2C%20the%20file%20names%20should%20be%20%3CCODE%3E%3CA%20href%3D%22http%3A%2F%2Fwww.contoso1.com.pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.contoso1.com.pfx%3C%2FA%3E%3C%2FCODE%3E%20and%20%3CCODE%3E%3CA%20href%3D%22http%3A%2F%2Fwww.contoso2.com.pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.contoso2.com.pfx%3C%2FA%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIIS%20stores%20the%20CCS%20configuration%20in%20registry%3A%20%3CCODE%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CIIS%5CCentralCertProvider%3C%2FCODE%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%3EAdd%20an%20IIS%20binding%3C%2FH2%3E%0A%3CP%3E%3CSTRONG%3EAdd%20an%20IIS%20binding%20by%20using%20IIS%20Manager%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EGo%20to%20IIS%20Manager.%20Select%20the%20website%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EClick%20%E2%80%9C%3CSTRONG%3EBindings%E2%80%A6%3C%2FSTRONG%3E%E2%80%9D.%20Click%20%E2%80%9C%3CSTRONG%3EAdd%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ESelect%20%E2%80%9C%3CSTRONG%3Ehttps%3C%2FSTRONG%3E%E2%80%9D%20as%20the%20%E2%80%9C%3CSTRONG%3EType%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ECheck%20%E2%80%9C%3CSTRONG%3EUse%20Centralized%20Certificate%20Store%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20577px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114179i2C478484097CD954%2Fimage-dimensions%2F577x261%3Fv%3D1.0%22%20width%3D%22577%22%20height%3D%22261%22%20alt%3D%224.png%22%20title%3D%224.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdd%20an%20IIS%20binding%20by%20using%20PowerShell%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ERun%20the%20commands%20below.%3C%2FP%3E%0A%3CP%3E%3CCODE%3ENew-WebBinding%20-Name%20%22Default%20Web%20Site%22%20-sslFlags%203%20-Protocol%20https%20-IP%20*%20-Port%20443%20-HostHeader%20(%22localhost%22)%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%3CCODE%3ENew-Item%20-Path%20%22IIS%3A%5CSslBindings%5C!443!localhost%22%20-sslFlags%203%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20meanings%20of%20the%20%3CCODE%3EsslFlags%3C%2FCODE%3E%20parameter%3A%3C%2FP%3E%0A%3CTABLE%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EsslFlags%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EUse%20CCS%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EUse%20SNI%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20does%20not%20use%20SNI%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20uses%20SNI%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20does%20not%20use%20SNI%2C%20but%20uses%20Central%20Certificate%20Store%20(The%20hostname%20for%20certificate%20lookup%20is%20determined%20based%20on%20the%20binding%20information%20in%20Applicationhost.config)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E3%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20uses%20both%20SNI%20and%20Central%20Certificate%20Store%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIIS%20stores%20the%20binding%20information%20in%20Registry%3A%20%3CCODE%3EHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CHTTP%5CParameters%5CSslBindingInfo%3C%2FCODE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-582708%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAfter%20IIS8%2C%20CCS%20(Centralized%20Certificate%20Store)%20feature%20can%20be%20used%20to%20pick%20up%20website%20certificates%20from%20a%20network%20share.%20It%20makes%20certificate%20management%20a%20lot%20easier%20from%20a%20single%20store%20instead%20of%20managing%20them%20in%20every%20server%E2%80%99s%20local%20certificate%20stores.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-582708%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECentralized%20Certificate%20Store%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIIS%20bindings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

After IIS8, CCS (Centralized Certificate Store) feature can be used to pick up website certificates from a network share. It makes certificate management a lot easier from a single store instead of managing them in every server’s local certificate stores.

 

There are two steps to start using CCS:

  1. Configure IIS to use CCS
  2. Add an IIS binding to your website (You can use IIS Manager or PowerShell)

 

Configure IIS to use CCS

Install CCS feature via Server Manager:

2.png

 

After the installation:

  1. Open IIS Manager. Click the server name
  2. Double click on “Centralized Certificates
  3. Click “Edit Feature Settings
  4. Fill out the settings:
    • Physical path (most commonly a network share)
    • Username and password to access to this path
    • Certificates private key password (if required)

3.png

After clicking “OK”, IIS reads the certificates from the path and populates the information about the certificates.

 

IIS determines which certificate is associated with which website by using the naming convention (<subject name of a certificate>.pfx:(

 

IIS stores the CCS configuration in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS\CentralCertProvider

 

Add an IIS binding

Add an IIS binding by using IIS Manager

  1. Go to IIS Manager. Select the website
  2. Click “Bindings…”. Click “Add
  3. Select “https” as the “Type
  4. Check “Use Centralized Certificate Store

4.png

Add an IIS binding by using PowerShell

Run the commands below.

New-WebBinding -Name "Default Web Site" -sslFlags 3 -Protocol https -IP * -Port 443 -HostHeader ("localhost")

New-Item -Path "IIS:\SslBindings\!443!localhost" -sslFlags 3

 

The meanings of the sslFlags parameter:

sslFlags

Description

Use CCS

Use SNI

0

SSL binding does not use SNI

0

0

1

SSL binding uses SNI

0

1

2

SSL binding does not use SNI, but uses Central Certificate Store (The hostname for certificate lookup is determined based on the binding information in Applicationhost.config)

1

0

3

SSL binding uses both SNI and Central Certificate Store

1

1

 

IIS stores the binding information in Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo