Add docs page for CCS

Author: webprofusion-chrisc

docs/certificate-process.md

@@ -58,7 +58,7 @@ Note that for FTP site bindings you need to select "Single Site" instead.
 ##### Deployment Tasks and Advanced Usage
 In addition to the Auto Deployment options, you can also make use of a variety of pre-built [Deployment Tasks](deployment/tasks_intro.md) for local or remote deployment. You can also use scripting tasks to work with your certificate using your own custom scripting.
 
-Deployment Tasks can be used used for common certificate tasks such as deploying to Microsoft Exchange, updating a certificate in a secrets vault (such as Azure Key Vault), deploying to a CCS share or converting the certificate into different file types.
+Deployment Tasks can be used used for common certificate tasks such as deploying to Microsoft Exchange, updating a certificate in a secrets vault (such as Azure Key Vault), deploying to a [CCS share](deployment/tasks/ccs.md) or converting the certificate into different file types.
 
 ### 4. Preview
 Using the *Preview* tab you can see a detailed summary of how your Managed Certificate is configured and what actions the app will plan to take next, including how the new certificate will be deployed.

docs/deployment/tasks/ccs.md

@@ -0,0 +1,67 @@
+# Using Centralized Certificate Store (CCS) on Windows
+
+IIS on Windows has a feature called *Centralized Certificate Store* (CCS) which lets IIS load the latest certificates it needs from a local path or network share. This is useful when you need to share certificates across multiple IIS web servers, or if you want to centralize renewals on one server and copy the certs to other servers.
+
+An advantage with this approach is that the IIS binding configurations themselves are not updated, which avoids application recycling/reloads which can happen when the IIS `applicationhost.config` is touched by the Web Administration library which updates IIS certificate bindings.
+ 
+ ## Basic Guide to Configuring IIS CCS
+ 
+ ### Prerequisites
+- A supported version of Windows Server
+- IIS 8.0 or later with CCS feature installed
+- Network share accessible by all IIS servers as UNC path e.g. `\\server01\certificates\`
+- Proper permissions on certificate store location
+ 
+### Step-by-Step Configuration
+
+1. **Install CCS Feature**
+   - Use the Windows Server feature administration UI to enable the CCS feature for IIS.
+ 
+2. **Create Network Share**
+   - Create a shared folder on a server
+   - Grant read permissions to IIS application pool identities
+   - Grant read/write to the machine or account which will be renewing/writing the certificate. When using the machine identity you may prefer to create a security group and add the machine to that group.
+
+3. **Configure CCS via IIS Manager**
+   - Open IIS Manager
+   - Select server node
+   - Double-click "Centralized Certificates"
+   - Enable feature and specify UNC path
+   - Provide credentials for accessing the share
+
+   Alternatively configure via PowerShell:
+     ```powershell
+     Set-IISCentralCertProvider -CertStoreLocation "\\server\certificates" 
+                                -UserName "domain\user" 
+                                -Password "password" 
+                                -Enabled $true
+     ```
+  
+4. **Certificate Conventions**
+   - Certificates must be named using the FQDN (e.g., `www.example.com.pfx`). The Certify *Deploy to CCS* task will take care of naming the files correctly.
+   - Private key password should be consistent across certificates. To set a certificate password in Certify use *Certificate > Advanced > Signing & Security > Password*. The password takes effect when you next renew the certificate and the certificate PFX file is rebuilt.
+
+5. **Configure the Managed Certificate to export to the CCS store location**
+  
+   - On your existing managed certificate:
+     - Set a PFX password under Certificate > Advanced > Signing & Security > Password.
+     - Set *Deployment Mode* on the *Deployment* tab to *No Deployment* or *Store Only*. This is to avoid attempting to update the IIS bindings outside of CCS.
+     - Under *Tasks > Deployment Tasks*, add a *Deploy to CCS task*, configure the output share path. The task will decide the output filename naming scheme depending on the domains etc.
+     - Run your renewal to generate your new PFX and export it to your share path. If all credentials were correct you will find the PFX file has been exported to the share path ready for use.
+
+6. **Binding Configuration**
+   - When creating HTTPS bindings in IIS, select "Use Centralized Certificate Store" and specify the Hostname. As normal you should avoid specifying IP address bindings and instead use "All Unassigned" and enable SNI.
+   - If you have previously been using directly updated HTTPS bindings edit or recreate the HTTPS binding in IIS. In Certify, set Deployment Mode to *No Deployment* or *Store Only*, otherwise it will try to update the IIS binding.
+ 
+### Security Considerations
+- Use a dedicated service account with minimal required permissions to access the share.
+- Implement proper network security for certificate store access
+
+### Known Issues
+- If the IIS UI cannot read the private key of a certificate the UI will show an exclamation mark, however this is normal as IIS itself should still be able to access the key, unless the PFX password is mismatched.
+
+### Troubleshooting
+- Verify network connectivity to certificate store
+- Check event logs for CCS-related errors
+- Validate service account permissions
+- Confirm certificate naming matches hostname in bindings

docs/deployment/tasks_intro.md

@@ -38,7 +38,7 @@ Built-in deployment task types, each with UI to configure the task parameters et
 | [Deploy to Apache Tomcat](./tasks/tomcat.md) | Export the certificate as a pkcs12 key store for use with Apache Tomcat application server. |
 | [Deploy to Azure App Service](./tasks/azure-app-service.md) | Note that setting a PFX password (Certificate> Advanced > Signing & Security) is required for this deployment. |
 | Deploy to Azure Key Vault| Export the certificate to your choice of Azure Key Vault for use with other Azure services or sharing with other systems. Supports service variations such as Azure Cloud, Azure US Government, Azure China etc.  |
-| Deploy to Centralized Certificate Store (CCS)| Copies to a chosen UNC share using the credentials you provide, automatically naming the files as required by IIS for each domain. You then configure the IIS CCS feature to pick up certs from the share. |
+| [Deploy to Centralized Certificate Store (CCS)](./tasks/ccs.md)| Copies to a chosen UNC share using the credentials you provide, automatically naming the files as required by IIS for each domain. You then configure the IIS CCS feature to pick up certs from the share. |
 | Deploy to Doppler| Deploys the chosen certificate components to the Doppler secrets storage service. |
 | [Deploy to Microsoft Exchange](./tasks/exchange.md)| Export the certificate to a local MS Exchange services and apply it to an optional list of services (IMAP, SMTP, IIS, POP etc). |
 | Deploy to Hashicorp Vault| Export the certificate to your Vault instance, with optional namespaces.  |

docs/features/index.md

@@ -14,7 +14,7 @@ This is a overview of all the major features available across the **Certify The
 These fundamental certificate management capabilities are available across all products:
 
 - **Automated ACME Certificate Renewals** - Automatic renewal with zero-config failure notifications
-- **Multi-CA Support** - Support for Let's Encrypt, Google Trust Services, ZeroSSL, Actalis, and enterprise CAs
+- **Multi-CA Support** - Support for Let's Encrypt, Google Trust Services, ZeroSSL, Actalis, Custom and enterprise CAs
 - **Certificate Authority Fallback** - Optional automatic fallback to alternative CAs if the primary fails
 - **Wildcard Certificate Support** - Full support for wildcard domains (`*.example.com`)
 - **IP Certificates** - Certificate covering IPv4 or IPv6 addresses
@@ -53,16 +53,16 @@ Comprehensive deployment options for various platforms and services:
 
 **Web Servers & Load Balancers:**
 - IIS (Auto-deployment with binding management)
-- Apache HTTP Server (PEM format export)
-- nginx (PEM format export)
-- Apache Tomcat (PKCS#12 keystore)
+- [Apache HTTP Server (PEM format export)](../guides//apache-nginx.md)
+- [nginx (PEM format export)](../guides/apache-nginx.md)
+- [Apache Tomcat (PKCS#12 keystore)](../deployment/tasks/tomcat.md)
 
 **Microsoft Services:**
 - Microsoft Exchange (IMAP, SMTP, IIS, POP services)
 - Active Directory Federation Services (ADFS)
 - Remote Desktop Services (RDP Gateway, RDP Listener)
 - Routing and Remote Access Service (RAS)
-- IIS Centralized Certificate Store (CCS)
+- [IIS Centralized Certificate Store (CCS)](../deployment/tasks/ccs.md)
 
 **Cloud & Container Platforms:**
 - Azure App Service

docs/guides/architecture/load-balanced-hosting.md

@@ -35,6 +35,7 @@ Centralized Certificate Store (CCS) is a feature you can enable in Windows to al
 
 This requires that you manage your own https bindings in IIS (configured for CCS) as the standard built-in https deployment in *Certify Certificate Manager* does not configure CCS enabled https bindings for you (and you should use a deployment mode of "Certificate Store Only" or "No Deployment" as "Auto" would instead try to setup the https bindings for you).
 
+There is also a general guide to [using CCS with Certify Certificate Manager](../../deployment//tasks/ccs.md) on Windows.
 
 These recommendations assume you are simply load balancing your DNS name across multiple web servers (virtual machines etc). 
 

docs/hub/installation/index.md

@@ -31,6 +31,8 @@ The latest release notes for the app can be found at https://certifytheweb.com/h
 
 ## System Requirements
 
+If you require deployment of Certificates from the hub to Windows hosts (Services, shares etc) then you should host the Hub on Windows. This will enable windows specific networking features which are generally unavailable on Linux.
+
 You can self-host on Windows, macOS or Linux, or you can use your own choice of container environment (Docker, Kubernetes, Red Hat/IBM OpenShift etc).
 
 The product internally uses .NET 9.0 or higher (self contained, you do not need to install .net) and specific supported operating systems are detailed here: https://github.com/dotnet/core/blob/main/release-notes/9.0/supported-os.md