Setting up Web Server SSL Certificates to Renew Automatically

Setting up Web Server SSL Certificates to Renew Automatically

  • Comments 2
  • Likes

Amer Kamal offers a solution to a long-standing request for auto-renewing IIS web server certificates, over on the Windows PKI (ADCS) blog!

The problem:

Working with Internet Information Services (IIS) certificates can be a bit challenging especially during renewal time. Most organizations do not track Web SSL certificates which in turn might expire and cause an unplanned outage. Those who track this information on the other hand, have to make sure certificate are renewed before their expiration period or find ways to notify the application owners of their certification expiration beforehand.

And the solution, available as a certificate template property as of Windows Server 2008 R2:

The Certificate Template’s design includes a new option Use subject information from existing certificates for autorenewal requests. This option allows the certificate to renew automatically, including any information in the Subject Name, or any additional information in Subject Alternate Names fields.

I haven’t tried this yet, but it could be a real boon for organizations using an internal ADCS PKI for their web server certificates.

More at the PKI Blog: Renew Web Server (SSL) Certificates Automatically


Posted by Tristan Kington, MSPFE Editor, IIS Noodler, and PKI Dilettante.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • We tested this on Windows Server 2008 R2. The auto-renewal process works great with or without Subject Alternative Names. However, SSL bindings on IIS sites are removed when the certificate is auto-renewed. If there are no options to keep the IIS bindings when the certs are auto-renewed, I'd rather have a script that renews the certs and re-applies the bindings as needed.

  • http://www.iis.net/learn/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85