One common and potentially time consuming administrative task I hear my customers discuss is maintenance of SSL certificates on large Web farms (initial set up, renewals, etc.). These Web farms can be for Outlook Web Access, Ecommerce, intranet pages, etc. One of the new features we added in IIS8 in Windows Server 2012 is Central Certificate Store (CCS). The gist of this feature is to allow IIS8 to go get certificates for SSL sites it hosts on demand from a central location instead of its local certificate store.
I originally planned on breaking down how it works, etc. however a colleague named Kaushal Kumar Panday has already done a fantastic job covering CCS in the blog post found here:
So instead of repeating all this info, I thought it would be cool to peek into a couple areas of the feature to get to know it a little better, as well as provide guidance for a robust implementation. So if you want to geek out on CCS, read on!
One thing I thought would be neat to see in a packet capture via Network Monitor is the interaction between the Web server and the file server that hosts the certificates for CCS. Here is my setup which will be used for the duration of this post.
The first thing I did was an IISReset on the Web server just to get the trace as clean as possible. It's also the #1 thing I use to troubleshoot IIS issues but that's just because I am a newb when it comes to IIS, but I digress J. Let's see how this works:
So perhaps one thing to learn here is to use at least Windows Server 2008 so you can reap the benefits of the updated TCP/IP stack as well as SMB2.
Another thing to plan for is failure conditions. It would be most unfortunate if the file server that hosts the central certificate store was unavailable when an SSL request came in and the cert was not cached. At first I wondered if we kept a local copy so I decided to test that theory out.
To set up the scenario where the file share hosting the certs for CCS dies, I stopped the server service on Server2012-3 (File server) then did an IISReset on Server2012-2 (Web server)
So as you can see it's critical to make sure your certs are hosted on a highly available file share. Failover clustering would be a nice choice J.
I also want to point out a couple things from a security perspective pertaining to this screenshot. To navigate to this screen, in the IIS Manager, click the Server name in the Connections pane on the left, then double-click on the Centralized Certificates icon under Management in the center pane. As a reminder, the centralized Certificates icon will only show up if you have installed the feature via Server Manager.
Finally, there are Powershell commands which can be used to configure CCS. This is a good way to further automate Web server build processes that host SSL sites.
That's all for now on CCS. I hope you enjoyed this blog and please post in the comments if you have any questions, comments or concerns.
One thing to mention is that you have to know your clients for this. Because IIS8 uses SNI for CCS to work, Windows XP will not work with CSS, because it does not support SNI :(.
Great point about SNI. My hopes are that since the end of the life is coming for XP in 4/2014 (less than a year away!), SNI will become more mainstream and this feature will fit nicely.
I know this is an old article, but the comments are one of the few places I have seen references to the SNI CCS compatibility for Windows XP. According to Microsoft's training manuals, you can use CCS without SNI if you specify a specific IP address within the binding. Specifically it's in the Introduction to Server 2012 manual on page 167. Unfortunately it doesn't seem to work! I still receive the certificate error in Windows XP after setting the configuration exactly as specified in the book.