Certificates expire; this is just a simple fact of life. Most often, I find that companies purchase SSL certificates on a short-term basis, usually for only one year. This means that every year, each certificate needs to be renewed. However, downloading a new copy of the certificate and installing it onto your web server is not enough to make it continue working. Simply putting the new certificate into place on the server does not mean that IIS is going to start using the new one to validate traffic on your website. Even if you delete the old certificate, there is no action that has been taken inside IIS to tell it that this new certificate that suddenly appeared is the one that it should start using as the binding for your site. So we have always had to make this additional change manually. Every time you replace a certificate, you also go into IIS and change the binding on the website. This seems particularly painful when you have the certificate renewal automated through something such as Autoenrollment. You may mistakenly think that you are covered in the future and no longer have to do anything to renew your certificates because they will be renewed at the server level automatically. But alas, this is not true; up until now we have still always had to go into IIS and change the binding by hand. Fear not, the future is here…
The IIS team has made a simple but powerful change to help this problem in the new version of IIS that ships with Windows Server 2016. In fact, this function was available in Server 2012 R2 in its first iteration, but I still haven't seen anybody use it in the field, so for most folks, this is going to be brand new. This new feature called Certificate Rebind, when enabled, causes IIS to automatically recognize a new certificate installation, and to automatically rebind the appropriate website to use the new copy of the certificate instead of the expiring one. Let's take a look at the interface so that you know how to turn this option on and off. We will also take a little look under the hood so that you can understand how this functionality works.
This work will be accomplished on our Windows Server 2016 web server. We have IIS installed and have an HTTPS website running with an SSL certificate already bound to the site.
Follow these steps to enable Certificate Rebind on your IIS web server:
Taskschd.msc
. This is the Windows Task Scheduler.
Certificate Rebind is a really simple action to enable inside IIS, but it can make all the difference to whether you have a good or bad day at the office. When enabled, this feature builds a scheduled task inside Windows that triggers the commands to bind our IIS website to its new certificate. This task is triggered by an event that is logged in Windows when our new certificate is installed or renewed. With Certificate Rebind enabled and the configuration of your certificate distribution set to happen automatically through Autoenrollment, you can now have a truly automated certificate renewal system inside your network!
13.59.75.169