Central Certificate Store Support and Certificate Improvements

Via Microsoft IIS Administration 1.1.0

The Microsoft IIS Administration API is now Generally Available! If you are unfamiliar with the API, check out our earlier post for an introduction.

The capabilities of the IIS Administration API have grown as we strive to incorporate the feedback we receive into the product. The newest release of the IIS Administration API addresses one major request from the community by providing support for managing the IIS Central Certificate Store, as well as support for certificate stores other than MY. To go along with the support for additional stores, enhancements have been made to the the certificate API. These improvements are important milestones for the IIS Administration API as it evolves into a key tool for managing not only a single IIS instance, but an entire farm of web servers.

Central Certificate Store

The Central Certificate Store (CCS) is a feature of IIS that vastly improves managability of certificates. Clasically IIS relied on certificates being on the local machine. With the CCS an administrator can set up a file share containing all the necessary certificates for a web hosting environment and configure multiple machines to use them. Now this essential feature can be configured from the new CCS endpoint.

Central Certificate Store API /api/webserver/centralized-certificates/{id}

{
    "id": "{id}",
    "path": "{Physical path of certificate share}",
    "identity": {
        "username": "{CCS-User}"
        // "password", a write-only field in which the password is specified for the CCS User
    }
    // "private_key_password", a write-only field in which specifies the password needed to read the private keys in CCS 
}

CCS Web UI

The web management interface at manage.iis.net has been updated to take advantage of the new CCS API. When visiting the Web Server level with IIS Administration 1.1.0 installed, a new Central Certificate Store tab will be available. From this tab the CCS feature can be installed and enabled on the machine.

Web Hosting Store Support

Along with our addition to support for the central certificate store, we have provided support for Windows certificate stores other than my. Now the certificates API will include the certificates that are present in the Web Hosting certificate store which is designed to help improve the performance of IIS and keep web server related certificates separate from other types. A new certificate stores API endpoint was added to retrieve the certificate stores that are available. By default these stores are limited to the My and Web Hosting stores, however additional stores can be provided through configuration. Also, if CCS is enabled it will also display in the new certificate stores endpoint.

Certificate Stores API /api/certificates/stores

{
  "stores": [
    {
      "name": "My",
      "id": "{store-id}",
      "_links": {
        "self": {
          "href": "/api/certificates/stores/{store-id}"
        }
      }
    },
    {
      "name": "WebHosting",
      "id": "{store-id}"
      // _links removed
    },
    {
      "name": "IIS Central Certificate Store",
      "id": "{store-id}",
      // _links removed
    }
  ]
}

Certificate API Updates

The improvements reguarding certificates marked a good time to update the certificate resource. These updates provide necessary information that were originally missing, such as subject alternative names. Fields that provided little to no value were removed, such as the name field. Additionally, certificate API now supports the HTTP Range header, allowing a subset of the total certificates to be requested.

The Updated Certificate Resource


{
  "alias": "My Self Signed Certificate",
  "id": "{id}",
  "issued_by": "CN=localhost",
  "subject": "CN=localhost",
  "thumbprint": "1E927A29E966FA11A7C469BC565A9E00B11F5F95",
  "signature_algorithm": "sha256RSA",
  "valid_from": "2017-04-12T11:26:26Z",
  "valid_to": "2019-04-12T11:26:26Z",
  "version": "3",
  "intended_purposes": [
    "Client Authentication",
    "Server Authentication"
  ],
  "private_key": {
    "exportable": "false"
  },
  "subject_alternative_names": [
    "DNS Name=localhost",
    "DNS Name=my-work-pc"
  ],
  "store": {
    "name": "My",
    "id": "{store-id}",
    "_links": {
      "self": {
       "href": "/api/certificates/stores/{store-id}"
      }
    }
  }
}

New Certificate List View

The UI at manage.iis.net now has a certificates list view at the web server level. This provides a method to view all the certificates that the API has access to. These are the same certificates that are avaiable to use when creating web sites with HTTPS bindings.

2 Comments

  • Is there any idea when there will be server farm api's? Our use case is Application Request Routing with server farms as a reverse proxy and want to be able to enable/disable servers from receiving requests using the "make server unavailable gracefully option" through the api.

    Is there a functionality roadmap?

  • @Mark,

    At this point we do not have a hard date on when ARR will be available through the API. I can however say that our next planned features are API endpoints for URL Rewrite and ARR.

Comments have been disabled for this content.