After IIS8, CCS (Centralized Certificate Store) feature can be used to pick up website certificates from a network share. It makes certificate management a lot easier from a single store instead of managing them in every server’s local certificate stores.
There are two steps to start using CCS:
Install CCS feature via Server Manager:
After the installation:
After clicking “OK”, IIS reads the certificates from the path and populates the information about the certificates.
IIS determines which certificate is associated with which website by using the naming convention (<subject name of a certificate>.pfx
:(
www.contoso.com.pfx
_.contoso.com.pfx
www.contoso1.com.pfx
and www.contoso2.com.pfx
IIS stores the CCS configuration in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS\CentralCertProvider
Add an IIS binding by using IIS Manager
Add an IIS binding by using PowerShell
Run the commands below.
New-WebBinding -Name "Default Web Site" -sslFlags 3 -Protocol https -IP * -Port 443 -HostHeader ("localhost")
New-Item -Path "IIS:\SslBindings\!443!localhost" -sslFlags 3
The meanings of the sslFlags
parameter:
sslFlags |
Description |
Use CCS |
Use SNI |
0 |
SSL binding does not use SNI |
0 |
0 |
1 |
SSL binding uses SNI |
0 |
1 |
2 |
SSL binding does not use SNI, but uses Central Certificate Store (The hostname for certificate lookup is determined based on the binding information in Applicationhost.config) |
1 |
0 |
3 |
SSL binding uses both SNI and Central Certificate Store |
1 |
1 |
IIS stores the binding information in Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.