Configuring IIS 8.0 Centralized Certificate Store and PowerShell

Home > Blogs > PowerShell > Configuring IIS 8.0 Centralized Certificate Store and PowerShell

Configuring IIS 8.0 Centralized Certificate Store and PowerShell

Like This Blog 2Jason Helmick
Added by March 29, 2013

IIS 8 has a new feature that greatly improves certificate management. Instead of installing certificates to every server and then trying to find them later to update them, IIS 8 has a centralized certificate store for all your certificates in one place.

The mechanics of this are great and it works amazingly well, so I encourage you to grab some background on this. For this blog, I want to address and issue of configuring the store on remote computers and what I had to do to make it work.

First, to install the centralized store to a remote computer:

PS> Invoke-Command -ComputerName Core1 {Install-WindowsFeature Web-CertProvider}

Once install, there are 6 cmdlet’s to enable and configure the store on each remote server.  Easy huh?  Well, not really. The first step is to enable the feature:

PS>Invoke-Command -ComputerName Core1 {Enable-WebCentralCertProvider -CertStoreLocation \\dc\WebCerts -UserName ‘company\certuser’ -Password P@ssw0rd -PrivateKeyPassword P@ssw0rd}

Unfortunately this breaks. See the store location?  The cmdlet “checks” to verify the store location, which in PowerShell terms creates a Multi-Hop issue.

You may also like:  Using PowerShell to remove the MiniShell or Full Graphical Shell to convert Windows Server 2012 R2 Datacenter to a Core Edition

It took me a couple of minutes to figure out a way around this, so here is what I did. The store can be enabled on the remote server in the registry:

PS> Invoke-Command -ComputerName Core1 {Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\IIS\CentralCertProvider\ -Name Enabled -Value 1}

Then I set the store location in the registry:

PS> Invoke-Command -ComputerName Core1 {Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\IIS\CentralCertProvider\ -Name CertStoreLocation -Value \\DC\WebCerts}

Then using the Set-WebCentralCertProvider cmdlet, I could set the username and password settings.

PS>Invoke-Command -ComputerName Core1 {Set-WebCentralCertProvider -UserName Company\certuser -Password P@ssw0rd -PrivateKeyPassword P@ssw0rd}

Worked like a charm!  I created new bindings for the websites and all my remote servers use the central store now.

Sometimes a cmdlet may not work properly over remoting, but with a little patience you can figure out a way!  Until next time,

Knowledge is PowerShell,

Jason Helmick
Systems Instructor
Interface Technical Training

Videos You May Like

Agile Methodology in Project Management

0 77 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

Creating Users and Managing Passwords in Microsoft Office 365

0 211 1

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.

Detailed Forensic Investigation of Malware Infections – April 21, 2015

2 300 3

In this IT Security training video, Security expert Mike Danseglio (CISSP / CEH) will perform several malware investigations including rootkits, botnets, viruses, and browser toolbars.

Write a Comment

See what people are saying...

  1. ben

    Thank you for this post, I am trying to set this up. Does the store and comlets need to be installed/enabled on each and every IIS server? or is the store on a central server and the comlets enabled on each server?

  2. Sheren

    Hi Chris, on your environment you might need to get a third party tool, isentad this powershell script. I saw that some people use NetIq, that needs to deploy agents on every DC that you have deploy on your environmnet, and get all the security events consolitaded into a central console, from where you can get all the information about user account lockouts. At the other hand, if you also have deployed SCOM on your environment you can use rules to catch up all your environment events, but let’s consider that surely are going to be a bunch of them and a bunch of alerts coming through email Hope it helps.

Share your thoughts...

Please fill out the comment form below to post a reply.