Central Certificate Store
Add to IIS Central Certificate Store
| Plugin type | Store | |
|---|---|---|
| Download | Built-in | |
| Compatibility | Windows |
Description
Saves certificates to the Windows Certificate store. This will always import to the Computer store. Refer to the User Store plugin if you want to have a certificate in the User store.
Compatibility
For best compatiblitity with legacy applications, the program attempts to store certificates with RSA keys using the Microsoft RSA SChannel Cryptographic Provider. If you require a more modern approach to key storage, refer to the setting listed below.
Private key export
By default the private keys not exportable. This can be changed globally via the settings, but generally we recommend not doing this, because 99% of use cases should be manageable by using another (additional) store step. If you’re looking to move the certificate to another server, read more about migration to another server.
Command line
--store centralssl |
Activates the plugin | |
|---|---|---|
‑‑centralsslstore |
Location of the IIS Central Certificate Store. | |
‑‑pfxpassword |
Password to set for .pfx files exported to the IIS Central Certificate Store.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
Examples
| Typical | --store centralssl [‑‑certificatestore My] [‑‑keepexisting] [‑‑acl-fullcontrol "network service,administrators"] [‑‑acl-read "myapp"] |
|---|
Settings
Store.CertificateStore.DefaultStore |
The name of the certificate store to save the certificates in.
Type: string Default: undefined (certificates will be installed either in the "WebHosting" store, or if that is not available, the "My" store (better known in the Microsoft Management Console as as "Personal"))
|
|
|---|---|---|
Store.CertificateStore.PrivateKeyExportable |
If set to true, private keys stored in the Windows Certificate Store will be marked as exportable, allowing you to transfer them to other computers.
Note that this setting doesn't apply retroactively but only to certificates issued from the moment that setting has changed. For tips about migration please refer to this page. Default: false
|
|
Store.CertificateStore.UseNextGenerationCryptoApi |
If set to true, the program will use the Cryptography API: Next Generation (CNG) to handle private keys, instead of the legacy CryptoAPI.
Note that enabling this option may make the certificates unusable or behave differently in subtle ways for software that only supports or assumes the key to exist in CryptoAPI. For example:
Default: false
|
JSON
| ID | af1f77b6-4e7b-4f96-bba5-c2eeb4d0dd42 |
|---|
Settings
Store.CertificateStore.DefaultStore |
The name of the certificate store to save the certificates in.
Type: string Default: undefined (certificates will be installed either in the "WebHosting" store, or if that is not available, the "My" store (better known in the Microsoft Management Console as as "Personal"))
|
|
|---|---|---|
Store.CertificateStore.PrivateKeyExportable |
If set to true, private keys stored in the Windows Certificate Store will be marked as exportable, allowing you to transfer them to other computers.
Note that this setting doesn't apply retroactively but only to certificates issued from the moment that setting has changed. For tips about migration please refer to this page. Default: false
|
|
Store.CertificateStore.UseNextGenerationCryptoApi |
If set to true, the program will use the Cryptography API: Next Generation (CNG) to handle private keys, instead of the legacy CryptoAPI.
Note that enabling this option may make the certificates unusable or behave differently in subtle ways for software that only supports or assumes the key to exist in CryptoAPI. For example:
Default: false
|
Looking for win-acme?
simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.