Techmission

Centralized Certificate Store – IIS

Felipe Barros

  • Mission: Configure Centralized Certificate Store in IIS to better manage certificates
  • Symptoms
    • Manage certificates when they expire is a nightmare
      • OR
    • Every time a wildcard or SAN certificate expires you need to go site by site reconfiguring their bindings
  • Prerequisites
    • Have IIS already installed with your own environment custom settings
    • A network share where certificates will be stored
  • Info
    • This procedure will follow the GUI (Graphic User Interface) method.

Step 1: Add Centralized Certificate Support feature to IIS server

On the server you have IIS installed run Server Manager (ServerManager.exe), wait for console to collect the data and click on Manage > Add Roles and Features
Once the Add Roles and Features Wizard pops up click on Next
Select Role-based or feature-based installation and click Next
Select your server and hit Next
On the Select server roles section Select Web Server (IIS) – Security – Centralized SSL Certificate Support and Next
Nothing to be done on Select features section. Just hit Next
Finally click Install

This process does not require a reboot.

Step 2: Configure Centralized Certificates in IIS

Open IIS Manager, click on the name of your server at the left pane and Centralized Certificates on the central pane
  1. Click Edit Feature Settings.
  2. Select the checkbox Enable Centralized Certificates.
  3. Enter the physical path where the certificates are stored. This can be a local folder on the server or a network share.
  4. Enter the username and password of an account with read/write privileges to the folder where the certificates are stored. I recommend to have a service account with access only to this folder.
  5. Enter the password for the pfx certificate file, if needed.
  6. Click OK to finish the configuration.

Step 3: Bind your sites to the certificate store

For every site you need to bind the certificate to the centralized store

On IIS Manager click on each site , on left pane, and Bindings on the right pane
Double click the binding to be configured (if it already exists) or add a new one if needed
After customize the bindings with your own environment settings just select the checkbox Use Centralized Certificate Store. This will set this site to look for its certificate on the centralized certificate store (physical path set on step 2)

About me

Over 20 years working with IT for multiple fields (logistics, Olympic games, oil and gas, insurance, pharmaceuticals, etc).

Sometimes find solutions on the internet can be challenging. That’s why I decided to create techmission.ca, where I’ll gather some solutions I have to apply on my environments as I receive my “missions” (that’s the way I name client’s requests).

Hope the solutions published here can help you guys as it helps me 🙂

Featured Posts

Follow Us

Categories