Configuring IIS 8.0 Centralized Certificate Store and PowerShell
IIS 8 has a new feature that greatly improves certificate management. Instead of installing certificates to every server and then trying to find them later to update them, IIS 8 has a centralized certificate store for all your certificates in one place.
The mechanics of this are great and it works amazingly well, so I encourage you to grab some background on this. For this blog, I want to address and issue of configuring the store on remote computers and what I had to do to make it work.
First, to install the centralized store to a remote computer:
PS> Invoke-Command -ComputerName Core1 {Install-WindowsFeature Web-CertProvider}
Once install, there are 6 cmdlet’s to enable and configure the store on each remote server. Easy huh? Well, not really. The first step is to enable the feature:
PS>Invoke-Command -ComputerName Core1 {Enable-WebCentralCertProvider -CertStoreLocation \\dc\WebCerts -UserName ‘company\certuser’ -Password P@ssw0rd -PrivateKeyPassword P@ssw0rd}
Unfortunately this breaks. See the store location? The cmdlet “checks” to verify the store location, which in PowerShell terms creates a Multi-Hop issue.
It took me a couple of minutes to figure out a way around this, so here is what I did. The store can be enabled on the remote server in the registry:
PS> Invoke-Command -ComputerName Core1 {Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\IIS\CentralCertProvider\ -Name Enabled -Value 1}
Then I set the store location in the registry:
PS> Invoke-Command -ComputerName Core1 {Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\IIS\CentralCertProvider\ -Name CertStoreLocation -Value \\DC\WebCerts}
Then using the Set-WebCentralCertProvider cmdlet, I could set the username and password settings.
PS>Invoke-Command -ComputerName Core1 {Set-WebCentralCertProvider -UserName Company\certuser -Password P@ssw0rd -PrivateKeyPassword P@ssw0rd}
Worked like a charm! I created new bindings for the websites and all my remote servers use the central store now.
Sometimes a cmdlet may not work properly over remoting, but with a little patience you can figure out a way! Until next time,
Knowledge is PowerShell,
Jason Helmick
Systems Instructor
Interface Technical Training
Windows 10 Managing, Deploying and Configuring – December 2, 2015
In this recorded Windows 10 training webinar from December 2, 2015, Windows Server instructor Rick Trader presents the deployment and management of Windows 10 Enterprise and the new Provisioning capability in Windows 10. Learn how to manage Windows 10 deployments using System Center Configuration Manager, Mobile Device Management and Intune. Also included in his presentation … Continue reading Windows 10 Managing, Deploying and Configuring – December 2, 2015
Windows 10 Features and Navigation – December 1, 2015
In this recorded Windows 10 webinar from December 1,2015, Windows Instructor Steve Fullmer presents the navigation and some of the new features associated with Windows 10 including Sysinternals Tools for Windows Client, Windows core concepts, exploring Process Explorer as well as some of the features that are not yet ready for prime time but will … Continue reading Windows 10 Features and Navigation – December 1, 2015
How to clone a Windows Server 2012 or 2012 R2 Domain Controller
One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller. In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that … Continue reading How to clone a Windows Server 2012 or 2012 R2 Domain Controller
Write a Comment
See what people are saying...