If I want to retrieve a wildcard cert and use that same cert on multiple servers, which is the best way to do this?
I have certificate manager installed on a single machine, and I can request a cert with it successfully. I have a task to copy the cert to a centralized cert store for IIS. However, it seems that if I want the Manager to update my exchange 2016 instance, the task has to be run on the server itself and not from the machine that i have the manager on?
I’m trying to understand how this all works. This is my first attempt at automating certificate installs . any advice would be wonderful.
Thanks.
Hi,
Yes in general the app runs where the certificate is needed (usually on the same machine), so that it can run local commands/powershell.
You can achieve remote deployment for scenarios like CCS, SSH etc but remote powershell etc is a mixed bag and it’s usally easier to have the app on the machine that needs the cert. Sometime the easiest method is having more than one machine request cert with the same names on them, if duplicate cert rate limits won’t be a problem.
For the hub though, there’s a few different options. You can:
- Just use the hub as an adminsitrative UI for one or more CCM instances
- Use the hub to get the cert, then use it like CCM to do limited remote deployment as you are currently doing.
- Or, you can now use the hub to get the cert, then subscribe to that cert in CCM on the target instance. Certificate Subscriptions | Certify The Web Docs
Personally I think the new certificate subscription model is good for scenarios where you more or less want to centrally managed certs, but individual instances like IIS or Exchange etc can still subscribe to specific certs and perform their local deployment as normal, as if they were renewing the cert themselves.
So it’s a hybrid model that avoids ordering the same cert multiple time, but also lets individual instances look after their own cert updates. It also means you can use the Maintenance Window feature for certain instances if their renewals are time sensitive (service restarts out of hours etc).
Ok. Thanks for the info. Since i started with manager. Can i convert to hub and keep the current cert that has been requested? And then switch to that new cert subscription model?