Centralized Certificate Store (CCS) and IIS bindings

Published May 17 2019 07:44 AM 10.9K Views
Microsoft

After IIS8, CCS (Centralized Certificate Store) feature can be used to pick up website certificates from a network share. It makes certificate management a lot easier from a single store instead of managing them in every server’s local certificate stores.

 

There are two steps to start using CCS:

  1. Configure IIS to use CCS
  2. Add an IIS binding to your website (You can use IIS Manager or PowerShell)

 

Configure IIS to use CCS

Install CCS feature via Server Manager:

2.png

 

After the installation:

  1. Open IIS Manager. Click the server name
  2. Double click on “Centralized Certificates
  3. Click “Edit Feature Settings
  4. Fill out the settings:
    • Physical path (most commonly a network share)
    • Username and password to access to this path
    • Certificates private key password (if required)

3.png

After clicking “OK”, IIS reads the certificates from the path and populates the information about the certificates.

 

IIS determines which certificate is associated with which website by using the naming convention (<subject name of a certificate>.pfx:(

 

IIS stores the CCS configuration in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS\CentralCertProvider

 

Add an IIS binding

Add an IIS binding by using IIS Manager

  1. Go to IIS Manager. Select the website
  2. Click “Bindings…”. Click “Add
  3. Select “https” as the “Type
  4. Check “Use Centralized Certificate Store

4.png

Add an IIS binding by using PowerShell

Run the commands below.

New-WebBinding -Name "Default Web Site" -sslFlags 3 -Protocol https -IP * -Port 443 -HostHeader ("localhost")

New-Item -Path "IIS:\SslBindings\!443!localhost" -sslFlags 3

 

The meanings of the sslFlags parameter:

sslFlags

Description

Use CCS

Use SNI

0

SSL binding does not use SNI

0

0

1

SSL binding uses SNI

0

1

2

SSL binding does not use SNI, but uses Central Certificate Store (The hostname for certificate lookup is determined based on the binding information in Applicationhost.config)

1

0

3

SSL binding uses both SNI and Central Certificate Store

1

1

 

IIS stores the binding information in Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo

9 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-582708%22%20slang%3D%22en-US%22%3ECentralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-582708%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20IIS8%2C%20CCS%20(Centralized%20Certificate%20Store)%20feature%20can%20be%20used%20to%20pick%20up%20website%20certificates%20from%20a%20network%20share.%20It%20makes%20certificate%20management%20a%20lot%20easier%20from%20a%20single%20store%20instead%20of%20managing%20them%20in%20every%20server%E2%80%99s%20local%20certificate%20stores.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20steps%20to%20start%20using%20CCS%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EConfigure%20IIS%20to%20use%20CCS%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EAdd%20an%20IIS%20binding%20to%20your%20website%20(You%20can%20use%20IIS%20Manager%20or%20PowerShell)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%20id%3D%22toc-hId-1737923112%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%20id%3D%22toc-hId--814233849%22%3EConfigure%20IIS%20to%20use%20CCS%3C%2FH2%3E%0A%3CP%3EInstall%20CCS%20feature%20via%20Server%20Manager%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20548px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114177iD99896423520FEB7%2Fimage-dimensions%2F548x387%3Fv%3D1.0%22%20width%3D%22548%22%20height%3D%22387%22%20alt%3D%222.png%22%20title%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20the%20installation%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EOpen%20IIS%20Manager.%20Click%20the%20server%20name%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EDouble%20click%20on%20%E2%80%9C%3CSTRONG%3ECentralized%20Certificates%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EClick%20%E2%80%9C%3CSTRONG%3EEdit%20Feature%20Settings%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EFill%20out%20the%20settings%3A%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EPhysical%20path%20(most%20commonly%20a%20network%20share)%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EUsername%20and%20password%20to%20access%20to%20this%20path%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ECertificates%20private%20key%20password%20(if%20required)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20573px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114178iB8D888355E0D2517%2Fimage-dimensions%2F573x358%3Fv%3D1.0%22%20width%3D%22573%22%20height%3D%22358%22%20alt%3D%223.png%22%20title%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAfter%20clicking%20%E2%80%9COK%E2%80%9D%2C%20IIS%20reads%20the%20certificates%20from%20the%20path%20and%20populates%20the%20information%20about%20the%20certificates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIIS%20determines%20which%20certificate%20is%20associated%20with%20which%20website%20by%20using%20the%20naming%20convention%20(%3CCODE%3E%3CSUBJECT%20name%3D%22%22%20of%3D%22%22%20a%3D%22%22%20certificate%3D%22%22%3E.pfx%3C%2FSUBJECT%3E%3C%2FCODE%3E%3A(%3C%2Fimg%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20the%20subject%20name%20is%20%3CA%20href%3D%22http%3A%2F%2Fwww.contoso.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ewww.contoso.com%3C%2FA%3E%2C%20IIS%20looks%20for%20%3CCODE%3E%3CA%20href%3D%22http%3A%2F%2Fwww.contoso.com.pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ewww.contoso.com.pfx%3C%2FA%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20there%20is%20no%20match%2C%20it%20looks%20for%20a%20wildcard%20certificate%20with%20this%20name%3A%20%3CCODE%3E_.contoso.com.pfx%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20there%20are%20Subject%20Alternative%20Names%20(SANs)%2C%20the%20file%20names%20should%20be%20%3CCODE%3E%3CA%20href%3D%22http%3A%2F%2Fwww.contoso1.com.pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ewww.contoso1.com.pfx%3C%2FA%3E%3C%2FCODE%3E%20and%20%3CCODE%3E%3CA%20href%3D%22http%3A%2F%2Fwww.contoso2.com.pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ewww.contoso2.com.pfx%3C%2FA%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIIS%20stores%20the%20CCS%20configuration%20in%20registry%3A%20%3CCODE%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CIIS%5CCentralCertProvider%3C%2FCODE%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%20id%3D%22toc-hId-928576486%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%20id%3D%22toc-hId--1623580475%22%3EAdd%20an%20IIS%20binding%3C%2FH2%3E%0A%3CP%3E%3CSTRONG%3EAdd%20an%20IIS%20binding%20by%20using%20IIS%20Manager%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EGo%20to%20IIS%20Manager.%20Select%20the%20website%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EClick%20%E2%80%9C%3CSTRONG%3EBindings%E2%80%A6%3C%2FSTRONG%3E%E2%80%9D.%20Click%20%E2%80%9C%3CSTRONG%3EAdd%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ESelect%20%E2%80%9C%3CSTRONG%3Ehttps%3C%2FSTRONG%3E%E2%80%9D%20as%20the%20%E2%80%9C%3CSTRONG%3EType%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ECheck%20%E2%80%9C%3CSTRONG%3EUse%20Centralized%20Certificate%20Store%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20577px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114179i2C478484097CD954%2Fimage-dimensions%2F577x261%3Fv%3D1.0%22%20width%3D%22577%22%20height%3D%22261%22%20alt%3D%224.png%22%20title%3D%224.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdd%20an%20IIS%20binding%20by%20using%20PowerShell%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ERun%20the%20commands%20below.%3C%2FP%3E%0A%3CP%3E%3CCODE%3ENew-WebBinding%20-Name%20%22Default%20Web%20Site%22%20-sslFlags%203%20-Protocol%20https%20-IP%20*%20-Port%20443%20-HostHeader%20(%22localhost%22)%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%3CCODE%3ENew-Item%20-Path%20%22IIS%3A%5CSslBindings%5C!443!localhost%22%20-sslFlags%203%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20meanings%20of%20the%20%3CCODE%3EsslFlags%3C%2FCODE%3E%20parameter%3A%3C%2FP%3E%0A%3CTABLE%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EsslFlags%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EUse%20CCS%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E%3CSTRONG%3EUse%20SNI%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20does%20not%20use%20SNI%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20uses%20SNI%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20does%20not%20use%20SNI%2C%20but%20uses%20Central%20Certificate%20Store%20(The%20hostname%20for%20certificate%20lookup%20is%20determined%20based%20on%20the%20binding%20information%20in%20Applicationhost.config)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%0A%3CP%3E3%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3ESSL%20binding%20uses%20both%20SNI%20and%20Central%20Certificate%20Store%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3E1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIIS%20stores%20the%20binding%20information%20in%20Registry%3A%20%3CCODE%3EHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CHTTP%5CParameters%5CSslBindingInfo%3C%2FCODE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-582708%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAfter%20IIS8%2C%20CCS%20(Centralized%20Certificate%20Store)%20feature%20can%20be%20used%20to%20pick%20up%20website%20certificates%20from%20a%20network%20share.%20It%20makes%20certificate%20management%20a%20lot%20easier%20from%20a%20single%20store%20instead%20of%20managing%20them%20in%20every%20server%E2%80%99s%20local%20certificate%20stores.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-582708%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECentralized%20Certificate%20Store%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIIS%20bindings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1755142%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1755142%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20set-up%20a%20centralized%20certificate%20store%20so%20I%20can%20host%20two%20URLs%20from%20my%20server%20%22cawl.nau.edu%22%20and%20payment.mpcer.nau.edu%22%26nbsp%3B%20I%20installed%20and%20enabled%20the%20feature%2C%20created%20pfx%20fils%20for%20my%20certificates%20and%20imported%20them%20with%20the%20names%20%22cawl.nau.ed.pfx%22%20and%20%22payment.mpcer.nau.edu.pfx%22.%26nbsp%3B%20When%20I%20open%20centralized%20certificated%20the%20both%20appear%2C%20but%20do%20not%20show%20any%20details.%26nbsp%3B%20When%20I%20try%20to%20bind%20them%20using%20the%20centralized%20store%20using%20the%20bindings%20manager%2C%20neither%20seems%20to%20be%20applied.%26nbsp%3B%20When%20trying%20to%20visit%20either%20site%20I%20get%20a%20%22PR_CONNECT_RESET%22%20error.%26nbsp%3B%20If%20I%20go%26nbsp%3B%20back%20into%20the%20bindings%20manager%2C%20I%20can%20choose%20SNI%2C%20unclick%20centralized%20store%20and%20then%20choose%20to%20bind%20the%20certificates%20in%20the%20SSL%20certificate%20drop%20down.%26nbsp%3B%20If%20I%20rebind%20in%20this%20manner%20the%20payment.mpcer.nau.edu%20site%20works%20fine%2C%20but%20cawl.nau.edu%20still%20produces%20the%20%22PR_CONNECT_RESET_ERROR%22.%26nbsp%3B%20Can%20you%20tell%20what%20I%20am%20doing%20wrong%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1755212%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1755212%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F823876%22%20target%3D%22_blank%22%3E%40Paul_Heinrich%3C%2FA%3E%2C%20after%20you%20set%20up%20CCS%20and%20browse%20the%20site%2C%20which%20certificate%20shows%20up%3F%20(in%20the%20window%20you%20see%26nbsp%3B%3CSPAN%3EPR_CONNECT_RESET%20error).%20Is%20it%20certificate%20you%20put%20in%20CCS%20path%3F%20or%20there%20is%20no%20certificate%20at%20all%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EJust%20to%20make%20sure%20changes%20are%20effective%20right%20away%2C%20please%20reset%20IIS%20and%20clear%20browser%20cache%20after%20enabling%20CCS.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1755312%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1755312%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20solved%20part%20of%20the%20problem.%26nbsp%3B%20Once%20I%20noticed%20that%20in%20the%20centralized%20certificate%20store%20the%20certs%20had%20a%20red%20x%20icon%2C%20I%20realized%20that%20they%20had%20a%20%22incorrect%20private%20key%22%20message.%26nbsp%3B%20I%20was%20able%20to%20edit%20the%20settings%20for%20each%20certificate%20adding%20the%20private%20key%20password%20I%20created%20when%20I%20converted%20the%20certificates%20to%20pfx%20format.%20They%20now%20show%20without%20the%20red%20x%20and%20include%20all%20of%20the%20proper%20attributes%20and%20I%20can%20view%20the%20certificates%20details%20by%20clicking%20%22view%22%20on%20the%20right%20side%20panel.%26nbsp%3B%20So%20it%20looks%20like%20I%20have%20working%20certificates%20in%20the%20centralized%20store.%26nbsp%3B%20Now%20if%20I%20can%20get%20them%20to%20bind%20properly..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1755458%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1755458%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Nedim%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cleared%20the%20cache%20on%20my%20browser%20after%20restarting%20IIS%20on%20the%20server.%26nbsp%3B%20At%20this%20point%20I%20have%20the%20two%20sites%20set%20to%20use%20the%20centralized%20store%20and%20SNI.%26nbsp%3B%20One%20site%20payment.mpcer.nau.edu%20is%20working.%26nbsp%3B%20I%20can%20connect%20and%20it%20shows%20as%20a%20secure%20connection.%26nbsp%3B%20However%20the%20other%20site%20cawl.nau.edu%20is%20not%20working.%26nbsp%3B%20I%20cannot%20connect%20to%20it%20using%20SSL%2C%20but%20my%20non-ssl%20binding%20is%20working%20(%3CA%20href%3D%22http%3A%2F%2Fcawl.nau.edu%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fcawl.nau.edu%3C%2FA%3E)..%26nbsp%3B%20I'm%20using%20the%20naming%20convention%20suggested%20in%20the%20article%20where%20my%20certificates%20have%20the%20exact%20same%20spelling%20as%20the%20domain%20names%20(i.e.%20cawl.nau.edu.pfx)%20and%20the%20certificates%20in%20the%20store%20look%20good%20(names%20are%20the%20same%20and%20all%20of%20the%20attributes%20now%20show%20up).%26nbsp%3B%20It%20seems%20like%20IIS%20isn't%20finding%20the%20certificate%20for%20cawl.nau.edu..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Echeers%2C%26nbsp%3B%20Paul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1756227%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1756227%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Nedim%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20answer%20your%20question%2C%20it%20looks%20like%20no%20certificate%20shows%20up.%26nbsp%3B%20My%20browser%20(on%20a%20laptop)%20just%20throws%20the%20%22PR_CONNECT_RESET_ERROR%22%20which%20seems%20to%20be%20a%20generic%20bad%20certificate%20error.%26nbsp%3B%20If%20I%20try%20%3CA%20href%3D%22https%3A%2F%2Fwww.digicert.com%2Fhelp%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.digicert.com%2Fhelp%2F%3C%2FA%3E%20against%20the%20cawl.nau.edu%20URL%20I%20just%20get%20a%20%22cannot%20connect%22.%26nbsp%3B%20If%20I%20try%20payment.mpcer.nau.edu%20I%20get%20a%20nice%20display%20of%20the%20full%20certificate.%26nbsp%3B%20Both%20sites%20are%20currently%20set%20up%20with%20bindings%20to%20the%20centralized%20certificate%20store.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1763972%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1763972%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F823876%22%20target%3D%22_blank%22%3E%40Paul_Heinrich%3C%2FA%3E%2C%20I%20think%20a%20remote%20session%20would%20speed%20up%20the%20troubleshooting%20of%20your%20server.%20Do%20you%20have%20a%20support%20contract%20with%20us%3F%20If%20you%20do%2C%20please%20create%20a%20case%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.serviceshub.microsoft.com%2Fsupportforbusiness%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.serviceshub.microsoft.com%2Fsupportforbusiness%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOtherwise%2C%20I%20would%20recommend%20creating%20a%20post%20in%20our%20IIS%20Forum.%20We%20have%20advocates%20who%20can%20follow%20and%20contribute%20to%20the%20topic%20continuously.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fforums.iis.net%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fforums.iis.net%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2056805%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2056805%22%20slang%3D%22en-US%22%3E%3CP%3EHey%2C%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20demo%20the%20usage%20of%20Central%20Certificate%20Store%20for%20our%20certificate%20automation.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20to%20use%20AD%20Integrated%20Azure%20Files%20as%20the%20backend%2C%20and%20have%20setup%20a%20Private%20Link%20to%20this%20share.%20I%20then%20discovered%20that%20CCS%20doesn't%20like%20it%20when%20the%20server%20and%20username%20are%20cross%20domains%2C%20so%20I%20have%20hidden%20this%20behind%20DFS.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EStorage%20Account%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Estorage.privatelink.core.windows.net%3C%2FP%3E%3CP%3E%3CSTRONG%3EDFS%20Root%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Edomain.local%5CCertificates%5C%3C%2FP%3E%3CP%3E%3CSTRONG%3EFolder%20target%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ECentralStore%3C%2FP%3E%3CP%3E%5C%5Cstorage.privatelink.core.windows.net%5CCentralStore%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ECCS%20target%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%5C%5Cdomain.local%5CCertificates%5CCentralStore%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20folder%20works%20fine%20if%20i%20browse%20to%20it%20in%20explorer%2C%20so%20the%20server%20itself%20can%20access%20it%2C%20and%20the%20credentials%20are%20good.%20But%20CCS%20with%20the%20supplied%20credentials%20cannot%20connect%20to%20it.%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20suggestions%20on%20how%20to%20get%20this%20working%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2233756%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2233756%22%20slang%3D%22en-US%22%3E%3CP%3EBrettM%2C%20I%20bet%20it%20has%20something%20to%20do%20with%20the%20server%20trying%20to%20access%20the%20share%20with%20the%20WAS%20process%20instead%20of%20w3svc.%26nbsp%3B%20I%20had%20a%20similar%20issue%20trying%20to%20use%20a%20UNC%20path%20for%20shared%20configuration.%26nbsp%3B%20Try%20giving%20the%20computer%20account%20access%20on%20the%20share%2Fdirectory%2Ffile%20resources.%26nbsp%3B%20Might%20need%20to%20run%20it%20as%20network%20service%20instead%20of%20localsystem%20(which%20is%20probably%20a%20major%20security%20concern).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2460871%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Certificate%20Store%20(CCS)%20and%20IIS%20bindings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2460871%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EI%20am%20experiencing%20some%20issue%20with%20CCS%20and%20VM%20automation%20in%20an%20Azure%20Scaleset.%3CBR%20%2F%3EBasically%2C%20I%20setup%20a%20Scaleset%20which%20points%20to%20two%20different%20file%20shares%2C%20one%20for%20IIS%20shared%20config%20and%20one%20for%20CCS%2C%20and%20an%20init%20powershell%20script%20which%20binds%20both%20to%20IIS.%3CBR%20%2F%3EI%20also%20set%20manually%20in%20the%20shared%20applicationHost.config%20file%20the%20sslFlags%3D%223%22%20parameter%20inside%20each%20SSL%20binding.%3CBR%20%2F%3EThe%20script%20is%20working%20properly%20and%20when%20a%20new%20VM%20spins%20up%20I%20can%20see%20that%20both%20shared%20config%20and%20CSS%20working%20and%20if%20I%20check%20bindings%20they%20are%20properly%20configured%2C%20but%20if%20I%20try%20to%20browse%20a%20website%20I%20get%20the%20generic%20%22PR_CONNECT_RESET_ERROR%22%20error.%3CBR%20%2F%3ETo%20solve%20this%20I%20have%20to%20manually%20go%20to%20%22Edit%20Site%20Binding%22%20from%20IIS%20Manager%20and%20disable%20and%20re%20enable%20%22Use%20Centralized%20Certification%20Store%22%20(as%20in%20the%20picture)%20and%20it%20suddenly%20start%20to%20works.%3CBR%20%2F%3EI%20see%20it%20refreshes%20the%20applicationHost.config%20file%20because%20the%20save%20date%20changes%2C%20but%20I%20compared%20before%20and%20after%20and%20no%20changes%20were%20done%20(so%20it%20basically%20re%20applies%20what%20it%20already%20had).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20really%20struggling%20with%20this%2C%20I%20also%20tried%20to%20perform%20an%20IISreset%20after%20the%20execution%20of%20the%20script%2C%20but%20without%20luck%2C%20do%20you%20have%20any%20idea%20on%20how%20to%20fix%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEDIT%3A%20I%20post%20the%20solution%2C%20in%20case%20it%20could%20be%20helpful%20for%20someone%20else.%20The%20problem%20was%20that%20it%20is%20not%20enough%20to%20enable%20the%20Centralized%20SSL%20and%20have%20the%20correct%20bindings%20already%20inside%20the%20ApplicationHost.config%20and%20hosts%20file%2C%20each%20time%20a%20new%20server%20comes%20up%20it%20is%20necessary%20to%20bind%20also%20the%20HTTP.SYS.%3CBR%20%2F%3EThe%20solution%20was%20to%20add%20to%20my%20init%20script%20the%20update%20of%20a%20fake%20binding%20to%20remap%20everything%3A%3C%2FP%3E%3CPRE%3Eimport-module%20WebAdministration%0AGet-Website%20-Name%20%22Default%20Web%20Site%22%20%7C%20Get-WebBinding%20-Protocol%20%22https%22%20-HostHeader%20%22TestSite%22%20%7C%20Remove-WebBinding%0Anew-WebBinding%20-Name%20%22Default%20Web%20Site%22%20-Port%20443%20-SslFlags%203%20-Protocol%20https%20-HostHeader%20%22TestSite%22%20%23%20this%20recreate%20the%20test%20binding%20on%20IIS%0ANew-Item%20-Path%20%22IIS%3A%5CSslBindings%5C!443!TestSite%22%20-sslFlags%203%20%23%20this%20binds%20HTTP.SYS%0Anetsh%20http%20show%20sslcert%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3Enow%20my%20automation%20works%20perfectly%2C%20once%20the%20bind%20is%20created%20all%20the%20existing%20bindings%20works%20with%20the%20proper%20SSL%20certificate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ECheers%2C%3CBR%20%2F%3ECarlo%20Alberto%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Screenshot%202021-06-18%20at%2000.24.06.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F289715i3DD63A64E57A8CEF%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-06-18%20at%2000.24.06.png%22%20alt%3D%22Screenshot%202021-06-18%20at%2000.24.06.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎May 17 2019 07:49 AM
Updated by: