Central Certificate Store (CCS) with IIS

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

In IIS 8 many new features were added. One of them was the Centralized Certificate Store. This is available on Windows Server 2012 or higher and Windows 8 or higher.

In my previous posts on IIS 8, I discussed how scalability was  achieved in IIS 8 via SNI.

Below are the links to previous posts:

  1. SSL Scalability with IIS 8 (Windows 8 Server)
  2. Server Name Indication (SNI) with IIS 8 (Windows Server 2012)

As I discussed in my earlier posts, scalability was achieved in IIS 8 via Server Name Indication (SNI) and Central Certificate Store (CCS). In the second post mentioned above I discussed in how scalability was achieved via SNI.

In this article I’ll discuss CCS in depth.

 

What is CCS?

Central Certificate Store or Centralized SSL Certificate Support is a feature which allows certificates to be stored on a central location like a file share. This feature is very similar to Shared Configuration, where the certificates are stored on a file share and the servers in farm load them on demand.

In CCS the files are exported along with the private key (in .pfx format) and stored centrally on a file share. Files are named specifically using a naming convention and stored in the file share which are loaded on demand basis for an incoming SSL request. CCS uses the Server Name Indication information from the Client Hello for functionality.

 

Why do we need CCS when we already have SNI?

While SNI addressed only the SSL scalability problem with IIS, CCS addresses both SSL scalability and manageability of the certificates.

Also consider a hosting scenario where typically there are close to 1000 sites. If all of these were SSL enabled, then there would be close to 1000 SSL bindings. These explicit bindings are specific to a site and are loaded in memory during start-up of IIS Services. In case of CCS there exists only binding and the certs are loaded on demand and cached for future use, this way the memory consumption is lesser and there is a slight performance gain.

 

How does CCS improve manageability of Certificates?

Prior to IIS 8, IIS always picked up the certificates store (Personal store of MY Computer account) which is local to every machine. In case of a stand-alone server this is not a problem. However, consider a web-farm scenario with 2 or more servers in the farm. If one has to configure a site to use SSL, the certificate has to be installed on all the servers along with the private key. If the certificate expires, again the same step has to be repeated on all the servers. So there was lot of manual work involved. If there were more servers in the farm or if you were to introduce another SSL site, it would be a bigger headache for the server admins.

In the server farm, we configure all the servers to use the CCS binding which reads from this Central Certificate Store. Now IIS picks the certificate from the file share and not the local certificate store. The server admins have the task simplified and they need to install/renew the certificate on a single location i.e., the file share.

Installing CCS

Unlike SNICCS is not pre-installed it has to be installed separately. It is shipped as a native module and has to be installed via the Server Manager console on Windows Server 2012 & via Programs & Features on Windows 8. Below are instructions:

 

Installing CCS on Windows Server 2012:

 

  • Launch Server Manager.
  • Under Manage menu, select Add Roles and Features:
    image
  • In "Add Roles and Features Wizard" click "Next".
  • Select "Role-based or Feature-based Installation" and click on Next.
  • Select the appropriate server (local is selected by default) and click on Next.
  • Select Web Server (IIS):
    image
  • No additional features are needed for IIS, so click "Next".
  • Click on Next again.
  • By default, Centralized Certificates is not selected. Expand Security and then select "Centralized SSL Certificates Support" and click on Next.
    image
  • Click on Install and wait until the installation completes.
  • Upon successful installation the wizard would reflect the status:
    image

Installing CCS on Windows 8

 

  • Go to run prompt, type "appwiz.cpl", and hit Enter key.
  • This would launch the Programs and Features Console.
  • Click on "Turn Windows features on or off".
  • Select "Internet Information Services" and expand the tree.
    image
  • Go to World Web Wide Services->Security
  • Select "Centralized SSL Certificate Support" and click on ok.
    image
  • Centralized Certificates is installed successfully.

Configuring Central Certificates Store

  1. Launch IIS Manager.
  2. Under "Connections" select <MachineName>.
    image
  3. In the middle-pane, under "Management", double-click on "Centralized Certificates"
    image
  4. Under "Actions" pane select Edit Feature Settings:
    image
  5. Select the check box "Enable Centralized Certificates" and provide the following details:
    image

 

Centralized SSL Certificate Support feature is now ready to be used. One manageability feature that is noteworthy is the ability to group the certificates by their expiration dates
image

How CCS works?

Below steps outline what happens on the server side during a SSL handshake when a CCS binding is configured on IIS 8:

  1. The client and the server establish a TCP connection via TCP handshake.
  2. The client sends a Client Hello to the server. This packet contains
    the specific protocol version,
    list of supported cipher suites along with the hostname (let’s say     www.outlook.com provided its a SNI compliant browser).
    The TCP/IP headers in the packet contain the     IPAddress and the Port number.
  3. The server checks the registry (legacy bindings) to find a certificate hash/thumbprint corresponding to the above combination of IP:Port.
  4. If there is no legacy binding for that IP:Port, then server uses the port number from the Client Hello to check the registry for a CCS binding for this port. The server checks the below key to find the binding information:
     
    HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslCcsBindingInfo
  5. If the above step fails i.e., if the server couldn’t find a corresponding CCS binding for that port, then it would fallback to the legacy binding. (If this is absent then the SSL handshake would fail).
  6. If Step 4 succeeds. The hostname (from Client Hello) is used to generate a filename like hostname.pfx. The filename is passed as a parameter along with the other details (CCS Configuration) to the crypto API’s which in turn call the File System API’s to retrieve the corresponding certificate from the Central Certificate Store (File Share). The retrieved certificate is cached and the corresponding certificate without private key is added to the Server Hello and sent to the client.
  7. If it cannot find a filename, then it falls back to Step 5.

File Naming Conventions

Centralized Certificate Store follows a naming convention for certificates. When the client sends a Client Hello, IIS uses the hostname available from SNI to construct a filename (hostname.pfx), and searches the File share to find this file. Once it finds the file, it loads it in memory and responds to the client with a Server Hello.

For IIS to find the exact file, a naming convention has to be used while storing certificates on the CCS file share. As per naming convention the name of the certificate should be:

 

Filename Syntax: <subject-name-of-cert.pfx>  

For WildCard and SAN certificates refer the following table for naming convention

 

SL NO

Description

1

Certificate with single Subject Name

      If the subject name is "www.contoso.com" then the IIS provider will look for www.contoso.com.pfx.

2

Wildcard certificate

      The IIS provider uses the underscore character (“_”) as a special character to indicate that it is a wildcard certificate. If the subject name in the SSL certificate is *.contoso.com, then the file name should be "_.contoso.com.pfx".

NOTE: IIS provider would first try to search for a SSL certificate with the filename that exactly matches the domain name of the destination site. For example, if the destination site is www.contoso.com, the IIS provider first tries to locate www.consoto.com.pfx.  If that is unsuccessful, then it tries to locate _.contoso.com 

 

3

SAN Certificates

        In this case, the certificate must be duplicated with the file names matching Subject names in the certificate. For example, if the certificate is issued for "www.contoso1.com" & "www.contoso2.com", then the file names should be www.contoso1.com.pfx www.contoso2.com.pfx respectively.

So if the SAN Certificate is issued for 3 hostnames then there would be 3 files corresponding to the 3 hostnames .

NOTE: A SAN Certificate is like a global set. It can also be a wild card certificate  

 

 

Configuring a website to use CCS bindings

  1. Open IIS manager

  2. Under Connections pane, right click "Sites" and select "Add Website…"

  3. Fill the details as shown below
        Site name: CentralSSL0
        Physical path: C:\inetpub\wwwroot\CentralSSL0\
        Type: https
        Hostname: CentralSSL0
            NOTE: In Windows Server 8, host name must be specified when using CCS. The value depends on the certificate being used.

  4. Require Server Name Indication: Selected

  5. Use Centralized Certificate Store: Selected
    NOTE: There is no need to select a specific certificate.

  6. With the use of SNI and the naming contract, the corresponding certificate is selected automatically. In this example, IIS tries to read CentralSSL0.pfx from the Centralized SSL Certificates file share.

    image

  7. Click OK.

You have successfully created a website using Centralized Certificate Store. The management experience is similar to that of Shared Configuration and traditional SSL. There are some differences though:

  • The certificates are stored centrally on a file share.
  • Host name has to be specified for SSL site when using CCS.
  • SSL binding is not managed explicitly 1-to-1. They are loaded on-demand.

More on CCS Bindings

To view the CCS bindings we execute the same netsh command as earlier. Execute the following from an elevated command prompt:

 

netsh http show sslcert

 

NOTE: the first line in the output reads "Central Certificate store" and not "IP:Port", as in earlier versions of IIS. The "Certificate Hash" is "null" too.

The null indicates that the certificates are loaded on runtime.

 

The above command reads the following registry key and enumerates the values. Below is the location

 

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslCcsBindingInfo

In IIS 8, a new attribute called SSLFlags was introduced. This attribute specifies whether the SSL binding is using SNI or CCS or both. 

 

Using

CCS

Using SNI

sslFlags

Description

0

0

0

Legacy SSL binding. Neither uses SNI nor CCS

0

1

1

SSL binding using SNI.

1

0

2

SSL binding uses CCS, but SNI is not enforced.

1

1

3

SSL binding uses CCS, but SNI is enforced.

 

If the sslFlags attribute is set to either 2 or 3, then it is using the CCS bindings. If you check the applicationhost.config this is what the binding section would contain:

 

<bindings> 
    <binding protocol="https" bindingInformation="*:443:centralssl0" sslFlags="2" /> 
</bindings>

 

However, you wont find the configuration for the CCS Module in applicationhost.config. Well, this information is not stored in any of the config files. It is stored in registry under the following node:

 

HKLM\SOFTWARE\Microsoft\IIS\CentralCertProvider

 

However,  you wont find the configuration for the CCS Module in applicationhost.config. This information is not stored in any of the config files.

 

RESOURCES

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.