Central Certificate Store

Add to IIS Central Certificate Store

Plugin type Store
Download Built-in
Compatibility All platforms

Description

Designed for the Central Certificate Store introduced in Windows 2012. Creates a separate copy of the .pfx file for each hostname and places it in the path provided. Using this store also triggers any created or updated IIS bindings to get the CentralSSL flag enabled.

Command line

--store centralssl Activates the plugin
‑‑centralsslstore Location of the IIS Central Certificate Store.
‑‑pfxpassword Password to set for .pfx files exported to the IIS Central Certificate Store.

You may pass the secret in plain text, but can also use a reference to the secret vault like "vault://json/mysecret".

Examples

Typical --store centralssl [‑‑centralsslstore C:\CentralSSL\] [‑‑pfxpassword *****]

Settings

Store.CentralSsl.DefaultPath When using the CentralSsl plugin this path is used by default, saving you the effort of providing it manually. Filling this out makes the ‑‑centralsslstore parameter unnecessary in most cases. Renewals created with the default path will automatically change to any future default value, meaning this is also a good practice for maintainability.

Paths should be JSON-encoded, e.g. "C:\\" (note the double backslash).

Type: string
Default: undefined
Store.CentralSsl.DefaultPassword When using the CentralSsl plugin this password is used by default for the .pfx files, saving you the effort from providing it manually. Filling this out makes the ‑‑pfxpassword parameter unnecessary in most cases. Renewals created with the default password will automatically change to any future default value, meaning this is also a good practice for maintainability.

You don't have store a literal password here, but may also place a reference to the secret vault like "vault://json/mysecret".

Type: string
Default: undefined
Store.CentralSsl.DefaultProtectionMode Determines how the .pfx files will be encrypted.

A .pfx file (also known as a PKCS12 archive) may contain the sensitive private key. As a security measure, this can be password protected, but there is more than one algorithm to do so. RC2-40 is an older method, compatible with all versions of Windows, but generally considered unsafe and for that reason unsupported by OpenSSL 3.x. AES-256 is the current best practice, but it only works on Windows 10+ and Windows Server 2019+. simple-acme provides the following settings offer the best combination between compatibility and security:

ValueMeaning
"default"Use RC2-40 on Windows 8 and Windows Server 2016 or below, use AES-256 for Linux and more recent versions of Windows.
"aes256"Always use AES-256.
"legacy"Always use RC2-40.
EmtpyEquivalent to "legacy" for backwards compatibility.
Type: string
Default: "default"

JSON

ID af1f77b6-4e7b-4f96-bba5-c2eeb4d0dd42

Settings

Store.CentralSsl.DefaultPath When using the CentralSsl plugin this path is used by default, saving you the effort of providing it manually. Filling this out makes the ‑‑centralsslstore parameter unnecessary in most cases. Renewals created with the default path will automatically change to any future default value, meaning this is also a good practice for maintainability.

Paths should be JSON-encoded, e.g. "C:\\" (note the double backslash).

Type: string
Default: undefined
Store.CentralSsl.DefaultPassword When using the CentralSsl plugin this password is used by default for the .pfx files, saving you the effort from providing it manually. Filling this out makes the ‑‑pfxpassword parameter unnecessary in most cases. Renewals created with the default password will automatically change to any future default value, meaning this is also a good practice for maintainability.

You don't have store a literal password here, but may also place a reference to the secret vault like "vault://json/mysecret".

Type: string
Default: undefined
Store.CentralSsl.DefaultProtectionMode Determines how the .pfx files will be encrypted.

A .pfx file (also known as a PKCS12 archive) may contain the sensitive private key. As a security measure, this can be password protected, but there is more than one algorithm to do so. RC2-40 is an older method, compatible with all versions of Windows, but generally considered unsafe and for that reason unsupported by OpenSSL 3.x. AES-256 is the current best practice, but it only works on Windows 10+ and Windows Server 2019+. simple-acme provides the following settings offer the best combination between compatibility and security:

ValueMeaning
"default"Use RC2-40 on Windows 8 and Windows Server 2016 or below, use AES-256 for Linux and more recent versions of Windows.
"aes256"Always use AES-256.
"legacy"Always use RC2-40.
EmtpyEquivalent to "legacy" for backwards compatibility.
Type: string
Default: "default"

Looking for win-acme?

simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.