The Central Certificate Store

The Central Certificate Store (CCS) feature of IIS provided a mechanism to place certificates in a file share for use by multiple web servers. This feature can be enabled, disabled, and configured through the CCS API /api/webserver/centralized-certificates/{id}.

Requirements

To enable the Central Certificate Store, the API must have read access to the physical path that the store will be configured to use. This access is granted in the files section of the application settings. Attempting to set the path of the CCS to a physical path that is not allowed will result in a 403 Forbidden error.

Checking if CCS is enabled

If the central certificate store feature is disabled, the ccs endpoint will return a 404 Feature Not Installed response.

GET /api/webserver/centralized-certificates/{id}, when CCS is not enabled

{
    "title": "Not found",
    "detail": "IIS feature not installed",
    "name": "IIS Central Certificate Store",
    "status": "404"
}

Enabling CCS

To enable the Central Certificate Store, a POST request should be sent to the CCS API endpoint along with all the necessary data to enable the feature.

POST /api/webserver/centralized-certificates/{id}

{
    "path": "\\\\FileShare\\certs",
    "identity": {
        "username": "{Username of windows identity used to access file share}"
        "password": "{Password of windows identity used to access file share}"
    },
    "private_key_password": "{Password used to encrypt private keys}"
}

Updating CCS

The Central Certificate Store settings can be modified using a PATCH request with the updated settings.

Disabling CCS

To disable the Central Certificate Store, a DELETE request should be sent to the CCS endpoint.

DELETE /api/webserver/centralized-certificates/{id}

204 No Content

Reading CCS Certificates

When the central certificate store is enabled its certificates can be viewed through the certificates API. In order to populate the CCS certificates, the file share that the CCS is configured to use must allow READ access to the computer that the API is running on. This behavior is the same as using a file share with the files API.