Share via


IIS8: What is the problem that CCS (Centralized Certificate Store) resolved?

Securing sites is already a mandatory step in many business
as usually it is saving sensitive data and documents. Moreover, with cloud
hosting, server capacity must be added and removed dynamically. Before Windows
Server 2012, there were a couple of obstacles must be considered :

  • Scalability: We can only use one certificate for one IP:Port combination only.
  • Manageability: Storing certificates locally on the web server so for example when we
    renew a certificate it must be repeated on every server.

And CCS is the Solution : The DNS name and CN name of the
certificate must match. This contract can be further extended to the file names
of the certificates. (For example, www.Server1.com would use the certificate
with a file name www. Server1.com.pfx.) This contract enables Windows Server
2012 to have just one SSL binding, regardless of the number of secure sites
that use CCS store for binding certificates.

Simply previouslyif there were 100 secure sites, there would 100 SSL
bindings “Explicit Binding” . But with CCS regardless the number of secure sites, there would be single SSL
bindings “Implicit Binding” .

 

How to configure it in IIS ?  

 

 

How to configure website to use CCS?

When choose CCS then no need to select certificate … it just go and picked it up from the share but it must be certificate name like website name exactly

 

Where CCS is Configured ?

CCS configuration is stored in Registry and not in Application Host

IIS sslFlags is just to verify if website uses CCS.

<binding protocol="https" bindingInformation="*:443:CentralSSL0" sslFlags="3" />

Comments

  • Anonymous
    October 01, 2013
    Nice article. thanks! P.S: There is a typo; And CSS is the Solution.

  • Anonymous
    November 30, 2013
    Thanks Reyou ... Corrected :)