Certificate manager or hub?

If I want to retrieve a wildcard cert and use that same cert on multiple servers, which is the best way to do this?

I have certificate manager installed on a single machine, and I can request a cert with it successfully. I have a task to copy the cert to a centralized cert store for IIS. However, it seems that if I want the Manager to update my exchange 2016 instance, the task has to be run on the server itself and not from the machine that i have the manager on?

I’m trying to understand how this all works. This is my first attempt at automating certificate installs . any advice would be wonderful.

Thanks.

Hi,

Yes in general the app runs where the certificate is needed (usually on the same machine), so that it can run local commands/powershell.

You can achieve remote deployment for scenarios like CCS, SSH etc but remote powershell etc is a mixed bag and it’s usally easier to have the app on the machine that needs the cert. Sometime the easiest method is having more than one machine request cert with the same names on them, if duplicate cert rate limits won’t be a problem.

For the hub though, there’s a few different options. You can:

• Just use the hub as an adminsitrative UI for one or more CCM instances
• Use the hub to get the cert, then use it like CCM to do limited remote deployment as you are currently doing.
• Or, you can now use the hub to get the cert, then subscribe to that cert in CCM on the target instance. Certificate Subscriptions | Certify The Web Docs

Personally I think the new certificate subscription model is good for scenarios where you more or less want to centrally managed certs, but individual instances like IIS or Exchange etc can still subscribe to specific certs and perform their local deployment as normal, as if they were renewing the cert themselves.

So it’s a hybrid model that avoids ordering the same cert multiple time, but also lets individual instances look after their own cert updates. It also means you can use the Maintenance Window feature for certain instances if their renewals are time sensitive (service restarts out of hours etc).

Ok. Thanks for the info. Since i started with manager. Can i convert to hub and keep the current cert that has been requested? And then switch to that new cert subscription model?

Yes, you can upgrade an instance of Certify Certificate Manager to be a hub by uninstalling Certify Certificate Manager, then installing Certify Management Hub. The settings will be upgraded.

From there you can then join other instances of Certify Certificate Manager to the hub for easier management and so you can use certificate subscriptions etc.

When I add a new instance, it is asking me to setup a new ACME account . If I am just trying to use the cert subscription model, does it matter what kind of ACME account that I create? Does it have to match the Hub’s?

Is there any other documentation on this scenario? I’m trying to avoid having to request a different cert for each machine if possible.

HI,

In our next update we will offer the option to skip this step because no, an ACME account isn’t required for subscription based renewals. Generally if you do add an ACME account it does not need to match the hubs at all, they are all independent.

Regarding documentation, did you look at the Certificate Subscriptions link, if so what other information are you looking for?

I’m not sure. I don’t know what I don’t know.

I get an error when I try to use a CCM instance connected to my hub machine. If I try to add a cert subscription, and just Test… or Save the initial settings, it crashes with the below error on the CCM instance:

An error occurred: Certify.Client.ServiceCommsException: Internal Service Error: http://127.0.0.2:9696/api/managedcertificates/:
at Certify.Client.CertifyApiClient.FetchAsync(String endpoint, AuthContext authContext) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Client\CertifyApiClient.cs:line 222
at Certify.Client.CertifyApiClient.GetManagedCertificate(String managedItemId, AuthContext authContext) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Client\CertifyApiClient.cs:line 552
at Certify.UI.ViewModel.AppViewModel.AddOrUpdateManagedCertificate(ManagedCertificate item) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.UI.Shared\ViewModel\AppViewModel\AppViewModel.ManagedCertificates.cs:line 229
at Certify.UI.ViewModel.ManagedCertificateViewModel.SaveManagedCertificateChanges() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.UI.Shared\ViewModel\ManagedCertificateViewModel.cs:line 550
at Certify.UI.Controls.ManagedCertificate.ManagedCertificateSettings.ValidateAndSave() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.UI.Shared\Controls\ManagedCertificate\ManagedCertificateSettings.xaml.cs:line 154
at Certify.UI.Controls.ManagedCertificate.ManagedCertificateSettings.Button_Save(Object sender, RoutedEventArgs e) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.UI.Shared\Controls\ManagedCertificate\ManagedCertificateSettings.xaml.cs:line 169
at System.Threading.Tasks.Task.<>c.b__124_0(Object state)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
at System.Windows.Threading.DispatcherOperation.InvokeImpl()
at MS.Internal.CulturePreservingExecutionContext.CallbackWrapper(Object obj)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
— End of stack trace from previous location —
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Windows.Threading.DispatcherOperation.Invoke()
at System.Windows.Threading.Dispatcher.ProcessQueue()
at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam)
at MS.Win32.UnsafeNativeMethods.DispatchMessage(MSG& msg)
at System.Windows.Threading.Dispatcher.PushFrameImpl(DispatcherFrame frame)
at System.Windows.Application.RunDispatcher(Object ignore)
at System.Windows.Application.RunInternal(Window window)
at Certify.UI.App.Main()

Both hub and CCM instance are on the same version. 7.0.18.0

I feel like I’ve done something wrong. or its some setting that I don’t have set. I just feel like I’m missing something.

When you ask about docs, I haven’t seen a start to finish set of instructions that will connect to the hub , setup a subscription cert, and then request it from the hub. If there is, I apologize. I can’t seem to find it. Either that or I’m too dumb to understand what’s currently there. ¯_(ツ)_/¯

Thanks for sharing the exception details, not seen that before. It appears to be crashing when it tried to refresh the saved managed certificate details. I’d start by trying to get a normal managed certificate on that machine just to verify it’s all working ok. Alternatively try your certificate subscription config from the hub instead of on the desktop app.

Regarding docs, cert subscriptions are pretty new.

Joining the hub from CCM is detailed here: Certify Certificate Manager (Desktop) | Certify The Web Docs

Using a certificate subscription is detailed here: Certificate Subscriptions | Certify The Web Docs

Our next update will have some improvements around cert subscriptions, so we’ll try to reproduce the problem you had as well.

I already have the certificate on the hub. This was my first attempt at using the subscription to get that certificate pulled down to my managed CCM instance. It joined the hub ok, but when I try to click New Cert in CCM and use the subscription process, it crashes with the above exception.

I guess my only solution will be to run a bunch of individual certs on these servers with individual CCM instances. disappointing. Maybe by the next time I have to renew these certs, the subscription process will work better.

tried to do the same subscription process on another pc, and it crashed there as well. Does it matter that the hub is on a win11 VM, and the CCM instances are running on windows server 2016/2022?

If it wasn’t clear from my earlier posts, the hub has the managed certificate on it. That part works. I’m just trying to add the settings for the certificate subscription on the CCM that is on the other server. I haven’t even tried to retrieve the cert from the hub yet.

Hi, we were able to reproduce this and a fix will be included in the next update.

In the meantime you should setup the managed certificate for that instance via the hub instead of configuring it in the desktop app on the server. On the hub click Summary to see your existing managed certificates, then click New to start a new managed certificate, select your target CCM instance from the dropdownlist, then add the managed certificate subscription as normal.

That appeared to work. It’s showing as warning, but I’m assuming that is because my deployment task failed the first time? Will it show as ok if i get a deployment task to succeed?

Also, by doing it this way, how does the maintenance windows setting work? I don’t get an option on the subscription certs to set a maintenance window.

@FurganK fixing the deployment task doesn’t reset the overall status of the previous renewal run but our next update will have a number of UI and process refinements related to certificate subscriptions and tasks which will help with that.