Central Certificate Store (CCS) with IIS 8 (Windows Server 2012)
In my previous posts on IIS 8, I discussed how scalability was achieved in IIS 8 via SNI.
Below are the links to previous posts:
In the first post I mentioned that scalability was achieved in IIS via Server Name Indication (SNI) and Central Certificate Store (CCS). In my second post linked above I discussed how scalability was achieved via SNI.
In this article I’ll discuss CCS in detail and also its functionality.
What is CCS?
Central Certificate Store or Centralized SSL Certificate Support is a feature which allows certificates to be stored on a central location like a file share. This feature is very similar to Shared Configuration, where the certificates are stored on a file share and the servers in farm load them on demand.
In CCS the files are exported along with the private key (in .pfx format) and stored centrally on a file share. Files are named specifically using a naming convention and stored in the file share which are loaded on demand basis for an incoming SSL request. CCS uses the Server Name Indication information from the Client Hello for functionality.
Why do we need CCS when we already have SNI?
While SNI addressed only the SSL scalability problem with IIS, CCS addresses both SSL scalability and manageability of the certificates.
Also consider a hosting scenario where typically there are close to 1000 sites. If all of these were SSL enabled, then there would be close to 1000 SSL bindings. These explicit bindings are specific to a site and are loaded in memory during start-up of IIS Services. In case of CCS there exists only binding and the certs are loaded on demand and cached for future use, this way the memory consumption is lesser and there is a slight performance gain.
How does CCS improve manageability of Certificates?
Prior to IIS 8, IIS always picked up the certificates store (Personal store of MY Computer account) which is local to every machine. In case of a stand-alone server this is not a problem. However, consider a web-farm scenario with 2 or more servers in the farm. If one has to configure a site to use SSL, the certificate has to be installed on all the servers along with the private key. If the certificate expires, again the same step has to be repeated on all the servers. So there was lot of manual work involved. If there were more servers in the farm or if you were to introduce another SSL site, it would be a bigger headache for the server admins.
In the server farm, we configure all the servers to use the CCS binding which reads from this Central Certificate Store. Now IIS picks the certificate from the file share and not the local certificate store. The server admins have the task simplified and they need to install/renew the certificate on a single location i.e., the file share.
Installing CCS
Unlike SNI, CCS is not pre-installed it has to be installed separately. It is shipped as a native module and has to be installed via the Server Manager console on Windows Server 2012 & via Programs & Features on Windows 8. Below are instructions to
Installing CCS on Windows Server 2012:
· Launch Server Manager.
· Under Manage menu, select Add Roles and Features:
· In "Add Roles and Features Wizard" click "Next".
· Select "Role-based or Feature-based Installation" and click on Next.
· Select the appropriate server (local is selected by default) and click on Next.
· Select Web Server (IIS):
· No additional features are needed for IIS, so click "Next".
· Click on Next again.
· By default, Centralized Certificates is not selected. Expand Security and then select "Centralized SSL Certificates Support" and click on Next.
· Click on Install and wait until the installation completes.
· Upon successful installation the wizard would reflect the status:
Installing CCS on Windows 8:
· Go to run prompt, type "appwiz.cpl", and hit Enter key.
· This would launch the Programs and Features Console.
· Click on "Turn Windows features on or off".
· Select "Internet Information Services" and expand the tree.
· Go to World Web Wide Services->Security
· Select "Centralized SSL Certificate Support" and click on ok.
· Centralized Certificates is installed successfully.
Configuring Central Certificate Store
1. Launch IIS Manager.
2. Under "Connections" select <MachineName>.
3. In the middle-pane, under "Management", double-click on "Centralized Certificates"
4. Under "Actions" pane select Edit Feature Settings:
5. Select the check box "Enable Centralized Certificates" and provide the following details:
Element Name |
Description |
Enable Centralized Certificates |
Select the Enable Centralized Certificates check box if you want to create a central certificate store for your web farm. Otherwise, clear the check box. |
Physical path |
Type the physical path to the directory on the central certificate store server where you want the certificates stored. |
User name |
Type the name of the user account to use when accessing the central certificate store. |
Password |
Enter the password for the User Account |
Confirm password |
Enter the password for User Account again to confirm. |
Private Key Password (Optional) |
|
6. Centralized SSL Certificate Support feature is now ready to be used.
7. One manageability feature that is noteworthy is the ability to group the certificates by their expiration dates:
8. The webserver is setup to use Centralized Certificate Store.
How CCS works?
Below steps outline, how the SSL handshake works with a CCS binding on the IIS 8 web server:
- The client and the server establish a TCP connection via TCP handshake.
- The client sends a Client Hello to the server. This packet contains the specific protocol version, list of supported cipher suites along with the hostname (let’s say www.outlook.com provided its a SNI compliant browser). The TCP/IP headers in the packet contain the IPAddress and the Port number.
- The server checks the registry (legacy bindings) to find a certificate hash/thumbprint corresponding to the above combination of IP:Port.
- If there is no legacy binding for that IP:Port, then server uses the port number from the Client Hello to check the registry for a CCS binding for this port. The server checks the below key to find the binding information: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslCcsBindingInfo
- If the above step fails i.e., if the server couldn’t find a corresponding CCS binding for that port, then it would fallback to the legacy binding. (If this is absent then the SSL handshake would fail).
- If Step 4 succeeds. The hostname (from Client Hello) is used to generate a filename like hostname.pfx. The filename is passed as a parameter along with the other details (CCS Configuration) to the crypto API’s which in turn call the File System API's to retrieve the corresponding certificate from the Central Certificate Store (File Share) . The retrieved certificate is cached and the corresponding certificate without private key is added to the Server Hello and sent to the client.
- If it cannot find a filename, then it falls back to Step 5.
File Naming Convention
Centralized Certificate Store follows a specific naming convention for the certificates. When the client sends a Client Hello, IIS uses the hostname available from SNI to construct a filename (hostname.pfx), and searches the File share to find this file. Once it finds the file it loads it in memory and responds to the client with a Server Hello.
For IIS to find the exact file match, a naming convention has to be used while storing certificates on the CCS file share. As per naming convention the name of the certificate should be:
Filename Syntax: <subject-name-of-cert.pfx>
But how does IIS handle Wild-Card & SAN Certificates. What is the naming convention for such certificates? Below is the solution:
SL NO |
Description |
||
1 |
Certificate with single Subject Name If the subject name is "www.contoso.com" then the IIS provider will look for www.contoso.com.pfx). |
||
2 |
Wildcard certificate The IIS provider uses the underscore character (“_”) as a special character to indicate that it is a wildcard certificate. If the subject name in the SSL certificate is *.contoso.com, then the file name should be " _.contoso.com.pfx".
|
||
3 |
SAN Certificates In this case, the certificate must be duplicated with the file names matching Subject names in the certificate. For example, if the certificate is issued for "www.contoso1.com" & "www.contoso2.com", then the file names should be www.contoso1.com.pfx & www.contoso2.com.pfx, respectively. So if the SAN Certificate is issued for 3 hostnames then there would be 3 files for those 3 hostnames respectively.
|
Configuring a website to use CCS Bindings
1. Open IIS Manager.
2. Under Connections pane, right click "Sites" and select "Add Website… "
3. Fill the details as shown below
a. Site name: CentralSSL0
b. Physical path: C:\inetpub\wwwroot\CentralSSL0\
c. Type: https
d. Hostname: CentralSSL0
· In Windows Server 8, host name must be specified when using CCS. (New )
· The value depends on the certificate being used.
e. Require Server Name Indication: Selected
f. Use Centralized Certificate Store: Selected
NOTE: There is no need to select a specific certificate.
g. With the use of SNI and the naming contract, the corresponding certificate is selected automatically. In this example, IIS tries to read CentralSSL0.pfx from the Centralized SSL Certificates file share.
h. Click on "OK".
You have successfully created a website using Centralized Certificate Store. The management experience is similar to that of Shared Configuration and traditional SSL. There are some differences though:
· The certificates are stored centrally on a file share.
· Host name has to be specified for SSL site when using CCS.
· SSL binding is not managed explicitly 1-to-1. They are loaded on-demand.
CCS Bindings
To view the CCS bindings we execute the same netsh command as earlier. Execute the following from an elevated command prompt:
netsh http show sslcert
NOTE: the first line in the output reads "Central Certificate store" and not "IP:Port", as in earlier versions of IIS. The "Certificate Hash" is "null" too. The null indicates that the certificates are loaded on runtime. |
The above command reads the following registry key and enumerates the values. Below is the location:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslCcsBindingInfo
CCS Configuration
In my previous post I had mentioned a new attribute called sslFlags. This attribute specifies whether the SSL binding is using SNI or CCS or both. CCS Configuration
Using CCS |
Using SNI |
sslFlags |
Description |
0 |
0 |
0 |
Legacy SSL binding. Neither uses SNI nor CCS |
0 |
1 |
1 |
SSL binding using SNI. |
1 |
0 |
2 |
SSL binding uses CCS, but SNI is not enforced. |
1 |
1 |
3 |
SSL binding uses CCS, but SNI is enforced. |
If the sslFlags attribute is set to either 2 or 3, then it is using the CCS bindings. If you check the applicationhost.config this is what the binding section would contain:
<bindings> < binding protocol="https" bindingInformation="*:443:centralssl0" sslFlags="2" /> < /bindings> |
| NOTE: The IIS manager exposes the above settings via configuration API’s in the IIS UI. It is not recommended to change the registry values directly. You will have to start |
However, you wont find the configuration for the CCS Module in applicationhost.config. Well, this information is not stored in any of the config files. It is stored in registry under the following node:
HKLM\SOFTWARE\Microsoft\IIS\CentralCertProvider
However, you wont find the configuration for the CCS Module in applicationhost.config. Well, this information is not stored in any of the config files
More Information:
· Microsoft Virtual Academy: IIS8 Centralized Certificate Store
· IIS 8.0 Centralized SSL Certificate Support: SSL Scalability and Manageability
· Plan SSL Central Certificate Store
I’m not done yet. There are few things that I need to address like, if someone has all the 3 types of bindings then which cert would be served? I’m not going to answer it now.
I will do it in my next blog post. Until then Ciao! 