IIS 8 has a new feature that greatly improves certificate management. Instead of installing certificates to every server and then trying to find them later to update them, IIS 8 has a centralized certificate store for all your certificates in one place.
The mechanics of this are great and it works amazingly well, so I encourage you to grab some background on this. For this blog, I want to address and issue of configuring the store on remote computers and what I had to do to make it work.
First, to install the centralized store to a remote computer:
PS> Invoke-Command -ComputerName Core1 {Install-WindowsFeature Web-CertProvider}
Once install, there are 6 cmdlet’s to enable and configure the store on each remote server. Easy huh? Well, not really. The first step is to enable the feature:
PS>Invoke-Command -ComputerName Core1 {Enable-WebCentralCertProvider -CertStoreLocation \\dc\WebCerts -UserName ‘company\certuser’ -Password P@ssw0rd -PrivateKeyPassword P@ssw0rd}
Unfortunately this breaks. See the store location? The cmdlet “checks” to verify the store location, which in PowerShell terms creates a Multi-Hop issue.
It took me a couple of minutes to figure out a way around this, so here is what I did. The store can be enabled on the remote server in the registry:
PS> Invoke-Command -ComputerName Core1 {Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\IIS\CentralCertProvider\ -Name Enabled -Value 1}
Then I set the store location in the registry:
PS> Invoke-Command -ComputerName Core1 {Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\IIS\CentralCertProvider\ -Name CertStoreLocation -Value \\DC\WebCerts}
Then using the Set-WebCentralCertProvider cmdlet, I could set the username and password settings.
PS>Invoke-Command -ComputerName Core1 {Set-WebCentralCertProvider -UserName Company\certuser -Password P@ssw0rd -PrivateKeyPassword P@ssw0rd}
Worked like a charm! I created new bindings for the websites and all my remote servers use the central store now.
Sometimes a cmdlet may not work properly over remoting, but with a little patience you can figure out a way! Until next time,
Knowledge is PowerShell,
Jason Helmick
Systems Instructor
Interface Technical Training
The post Configuring IIS 8.0 Centralized Certificate Store and PowerShell appeared first on Interface Technical Training.
