Windows Server 2016 – Rebinding your renewed certificates automatically

How to Create Swap File on Ubuntu 19.10 & 19.04

Certificates expire; this is just a simple fact of life. Most often, I find that companies purchase SSL certificates on a short-term basis, usually for only one year. This means that every year, each certificate needs to be renewed. However, downloading a new copy of the certificate and installing it onto your web server is not enough to make it continue working. Simply putting the new certificate into place on the server does not mean that IIS is going to start using the new one to validate traffic on your website. Even if you delete the old certificate, there is no action that has been taken inside IIS to tell it that this new certificate that suddenly appeared is the one that it should start using as the binding for your site. So we have always had to make this additional change manually. Every time you replace a certificate, you also go into IIS and change the binding on the website. This seems particularly painful when you have the certificate renewal automated through something such as Autoenrollment. You may mistakenly think that you are covered in the future and no longer have to do anything to renew your certificates because they will be renewed at the server level automatically. But alas, this is not true; up until now we have still always had to go into IIS and change the binding by hand. Fear not, the future is here…

The IIS team has made a simple but powerful change to help this problem in the new version of IIS that ships with Windows Server 2016. In fact, this function was available in Server 2012 R2 in its first iteration, but I still haven’t seen anybody use it in the field, so for most folks, this is going to be brand new. This new feature called Certificate Rebind, when enabled, causes IIS to automatically recognize a new certificate installation, and to automatically rebind the appropriate website to use the new copy of the certificate instead of the expiring one. Let’s take a look at the interface so that you know how to turn this option on and off. We will also take a little look under the hood so that you can understand how this functionality works.

Getting ready

This work will be accomplished on our Windows Server 2016 web server. We have IIS installed and have an HTTPS website running with an SSL certificate already bound to the site.

How to do it…

Follow these steps to enable Certificate Rebind on your IIS web server:

  1. Open Internet Information Services (IIS) Manager from inside the Tools menu of Server Manager.
  2. In the left-hand window pane, click on the name of your web server.
  3. Double-click on the Server Certificates applet.
  4. In the right-hand window pane, click on the action called Enable Automatic Rebind of Renewed Certificate:
  1. That’s it! IIS has now been configured so that it will recognize the installation of a renewed certificate, and will rebind your website automatically to make use of the new certificate. Now let’s take a little look at how this process actually works.
  2. Use either Command Prompt or the Start screen to launch Taskschd.msc. This is the Windows Task Scheduler.
  3. In the left-hand pane, navigate to Task Scheduler Library | Microsoft | Windows | CertificateServicesClient:
  1. You can see a scheduled task listed here that is called IIS-AutoCertRebind. This is the magic of Certificate Rebind. When a certificate gets added or renewed on your Server 2016 system, an event is logged. When this event is logged, this scheduled task picks it up and uses the information that it has from IIS about the certificates to rebind the websites onto the new certificates.
  2. If you head back into IIS and click on the Action for Disable Automatic Rebind of Renewed Certificate, you will notice that our scheduled task disappears from the list.

How it works…

Certificate Rebind is a really simple action to enable inside IIS, but it can make all the difference to whether you have a good or bad day at the office. When enabled, this feature builds a scheduled task inside Windows that triggers the commands to bind our IIS website to its new certificate. This task is triggered by an event that is logged in Windows when our new certificate is installed or renewed. With Certificate Rebind enabled and the configuration of your certificate distribution set to happen automatically through Autoenrollment, you can now have a truly automated certificate renewal system inside your network!

Comments are closed.