How to Set Up IIS Centralized Certificate Store on Windows Server 2019

March 23, 2026
Tutorials
Comment off

Introduction to IIS Centralized Certificate Store on Windows Server 2019

The IIS Centralized Certificate Store (CCS) allows you to store SSL/TLS certificates on a central UNC file share and have all IIS servers in a web farm read certificates directly from that share. Without CCS, you must manually install and renew certificates on every individual IIS server in your farm. With CCS, you manage certificates in one location — add a new certificate to the share, and all farm nodes immediately pick it up. This is essential for web farm deployments and dramatically simplifies certificate lifecycle management. Windows Server 2019 fully supports CCS with both SNI-based and IP-based certificate bindings.

How CCS Works

Certificates in CCS are stored as PFX (PKCS#12) files on a UNC file share. The filename of each PFX corresponds directly to the hostname it certifies — for example, www.corp.example.com.pfx. When a TLS handshake occurs, IIS resolves the hostname from the SNI extension in the Client Hello, constructs the PFX filename from that hostname, reads the certificate from the share, and uses it for the handshake. All PFX files in the store are encrypted with the same password, which IIS stores as an encrypted value in its configuration.

Prerequisites

# Install the CCS IIS feature on each web server
Install-WindowsFeature -Name Web-CertProvider -IncludeManagementTools

# Verify installation
Get-WindowsFeature -Name Web-CertProvider | Select-Object Name, InstallState

# Confirm the module is loaded
Get-WebConfiguration -Filter "system.webServer/globalModules/add" |
    Where-Object name -match "CentralCertProvider" | Select-Object name

Create the Certificate Store Share

The CCS share should be on a highly available file server (DFS namespace or clustered file server). The IIS service accounts on all web nodes need read access to this share:

# On the file server — create the CCS directory
New-Item -ItemType Directory -Path "D:CentralCertStore" -Force

# Create the SMB share with restricted permissions
New-SmbShare `
    -Name "CertStore" `
    -Path "D:CentralCertStore" `
    -ReadAccess "corpIIS-Web-Nodes" `   # Security group containing all IIS server computer accounts
    -FullAccess "corpCertAdmins","SYSTEM"

# Verify share
Get-SmbShare -Name "CertStore" | Select-Object Name, Path, Description

Prepare Certificates for CCS

Each certificate PFX file must be named after the hostname it serves. The naming rules are:

– For a certificate serving www.corp.example.com, name the file www.corp.example.com.pfx.

– For a wildcard certificate serving *.corp.example.com, name the file _.corp.example.com.pfx (underscore replaces the asterisk).

– All PFX files must be encrypted with the same password.

# Export an existing certificate to PFX with the correct filename
$cert = Get-ChildItem -Path "Cert:LocalMachineMy" | 
    Where-Object Subject -match "www.corp.example.com" | 
    Select-Object -First 1

$password = ConvertTo-SecureString "CertStorePassword123!" -AsPlainText -Force
$pfxPath = "\fileserverCertStorewww.corp.example.com.pfx"
Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $password

# For wildcard certificate
$wildCert = Get-ChildItem -Path "Cert:LocalMachineMy" | 
    Where-Object Subject -match "*.corp.example.com" | 
    Select-Object -First 1

Export-PfxCertificate -Cert $wildCert `
    -FilePath "\fileserverCertStore_.corp.example.com.pfx" `
    -Password $password

# List the CCS share contents
Get-ChildItem -Path "\fileserverCertStore" | Select-Object Name, Length, LastWriteTime

Enable CCS on Each IIS Server

Enable CCS on every IIS server in the farm. This is configured via IIS Manager or PowerShell using the CCS cmdlets installed with the Web-CertProvider feature:

# Enable CCS on this IIS server
# Parameters: UNC path to certificate store, username, password for accessing share, PFX password

$certStorePassword = "CertStorePassword123!"   # Password all PFX files are encrypted with
$shareUserName = "corpsvc-iis-certreader"      # Service account with read access to share
$sharePassword = "ShareAccessPass123!"

Enable-IISCentralCertProvider `
    -CertStoreLocation "\fileserverCertStore" `
    -UserName $shareUserName `
    -Password $sharePassword `
    -PrivateKeyPassword $certStorePassword

# Verify CCS is enabled
Get-IISCentralCertProvider

Create HTTPS Bindings Using CCS

When adding HTTPS bindings that use CCS, specify SslFlags of 3 (SNI + CCS). This tells IIS to look up the certificate in the central store based on the hostname rather than using a locally installed certificate:

# Create an HTTPS binding using CCS (SslFlags = 3 means SNI + CentralCertStore)
New-WebBinding `
    -Name "Default Web Site" `
    -Protocol "https" `
    -Port 443 `
    -HostHeader "www.corp.example.com" `
    -SslFlags 3

# For a new site
New-WebSite `
    -Name "SecureSite" `
    -PhysicalPath "C:inetpubSecureSite" `
    -Port 443 `
    -Ssl

# Update the binding to use CCS
Set-WebBinding `
    -Name "SecureSite" `
    -BindingInformation "*:443:" `
    -PropertyName sslFlags `
    -Value 3

# Verify bindings
Get-WebBinding | Where-Object Protocol -eq "https" | 
    Select-Object bindingInformation, sslFlags | Format-Table

Add a New Certificate to the Store

Adding a new certificate to the farm requires only copying the PFX to the share — no changes to IIS configuration on any server:

# Add a new certificate for a new hostname
$newCert = Get-ChildItem -Path "Cert:LocalMachineMy" | 
    Where-Object Subject -match "api.corp.example.com" | 
    Select-Object -First 1

$pfxPass = ConvertTo-SecureString "CertStorePassword123!" -AsPlainText -Force
Export-PfxCertificate `
    -Cert $newCert `
    -FilePath "\fileserverCertStoreapi.corp.example.com.pfx" `
    -Password $pfxPass

# IIS picks up the new certificate on the next TLS handshake for api.corp.example.com
# No IIS restart required!
Write-Host "Certificate deployed to CCS. New hostname is immediately available."

Renew Certificates in CCS

Certificate renewal in CCS is simple — overwrite the existing PFX file with the renewed certificate. IIS uses file read operations per connection, so the renewed certificate is used immediately on new connections while existing connections continue with the old certificate until they close:

# Renew a certificate and update in CCS
# 1. Obtain renewed certificate (from CA or Let's Encrypt)
# 2. Import to LocalMachineMy on any server temporarily
# 3. Export with the same PFX password
$renewedCert = Get-ChildItem -Path "Cert:LocalMachineMy" | 
    Where-Object { $_.Subject -match "www.corp.example.com" -and $_.NotAfter -gt (Get-Date).AddDays(30) } |
    Sort-Object NotAfter -Descending | Select-Object -First 1

$pfxPass = ConvertTo-SecureString "CertStorePassword123!" -AsPlainText -Force
$pfxPath = "\fileserverCertStorewww.corp.example.com.pfx"

# Backup old certificate
Copy-Item -Path $pfxPath -Destination "$pfxPath.bak-$(Get-Date -Format 'yyyyMMdd')"

# Overwrite with renewed certificate
Export-PfxCertificate -Cert $renewedCert -FilePath $pfxPath -Password $pfxPass -Force
Write-Host "Certificate renewed in CCS. Effective immediately on all farm nodes."

Disable CCS

# Disable CCS if migrating back to local certificates
Disable-IISCentralCertProvider

# Verify
Get-IISCentralCertProvider

Summary

IIS Centralized Certificate Store on Windows Server 2019 transforms certificate management in web farm environments from a per-server manual process into a single-location operation. By naming PFX files after hostnames and storing them on a highly available UNC share, all farm nodes automatically serve the correct certificate for any hostname. Certificate renewals require only overwriting a single PFX file. For organisations managing dozens of hostnames across multiple IIS servers, CCS reduces certificate management effort by an order of magnitude and eliminates certificate expiry caused by missing updates on individual nodes.