Skip navigation

Q: Can we use IIS Shared Configuration to share SSL configuration data and certificates between different web servers?

A: Yes, this type of sharing is possible in IIS 8, which is bundled with Windows Server 2012, through the new Centralized SSL Certificate Support feature. Microsoft introduced the IIS Shared Configuration feature in Windows Server 2008 to let multiple web servers share the same configuration that's stored on a central file share. Changes to the central master configuration file are automatically propagated across the different web servers pointing to the shared configuration store.

Centralized SSL Certificate Support lets web server administrators store and access SSL/TLS X.509 certificates centrally on a file share. This location can be the same share that's used by the Shared Configuration feature; see the Microsoft article "Shared Configuration" for more details about how to set up this feature.

Centralized SSL Certificate Support eases SSL/TLS certificate management on web servers. Simple tasks such as renewing a certificate don't have to be repeated on every individual web server. Also, adding a new server to a web farm and SSL-enabling it becomes much easier.

Centralized SSL Certificate Support is an optional feature of IIS 8 that isn't installed as part of the default installation. You can install it from Windows Server Manager by selecting Centralized SSL Certificate Support in the Security node of the Role Services for the Web Server Role.

You can configure Centralized SSL Certificate Support from a new configuration item called Centralized Certificates that's located in the Management section underneath the server node in the IIS Manager. Double-click the Centralized Certificates item and select Edit Feature Settings from the Actions pane to open the Edit Centralized Certificates Settings configuration screen that Figure 1 shows.

The Edit Centralized Certificates Settings configuration screen
Figure 1: The Edit Centralized Certificates Settings configuration screen (Click image for larger view)

From this configuration screen, you can enable or disable Centralized SSL Certificate Support, enter the path to the central configuration share, enter the credentials that are needed to access the share, and -- for PKCS #12 certificate files (*.pfx) that are protected with a password -- the password that's needed to unlock access to the certificate in the PKCS #12 file.

After you've configured Centralized SSL Certificate Support, you can use the Centralized Certificates item to browse the certificates in the central share. An interesting manageability feature is the ability to group the certificates by their expiration dates. To do so, use the Group by: Expiration Date option in the Centralized Certificates viewer, as Figure 2 shows.

Grouping certificates by expiration date in the IIS Centralized Certificates viewer
Figure 2: Grouping certificates by expiration date in the IIS Centralized Certificates viewer (Click image for larger view)

To point a given website to the central SSL certificate store, you must select the new Use Centralized Certificate Store option in the configuration screen for creating a new website or the Site Bindings dialog box, as Figure 3 shows.

The Edit Centralized Certificates Settings configuration screen
Figure 3: Using the Site Bindings dialog box to point a given website to the central SSL certificate store (Click image for larger view)

Note that there's no need to select a specific certificate to be used. IIS leverages the site name that was entered in the configuration screen (in this example "web1") to automatically select the corresponding SSL certificate in the central SSL certificate store.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish