IIS 8.5 – Certificate Rebind

Heya! It has been a while, but the sun is out so I thought I’d share a gem of a find!

One of the longest running logistical headaches with certificates has been renewing them, and subsequently binding them in IIS. Client certificates aren’t a problem; a wee sprinkle of Group Policy, and all your certificates just automagically renew. However, when you throw server authentication couple with Subject Alternative Names into the mix, you lose the truly luxurious option of automatic renewal.

This equally applies if you’re running Extended Validation enabled certificates, and have to manually apply things like the Common Name, OU, Organisation and Country.

Yes – you can tick certain boxes on the certificate templates to reuse subject information, although this does increase “risk”.

Reusing subject information by ticking the box.

…but this is only half of the job. As far as IIS is concerned, there is now nothing bound to the website, and everything falls over. The net result is that you still have to remind yourself to bind the certificate, although you don’t have to renew it or reenter all the identifying information. Cold comfort!

What was needed, and has been asked for, was the capacity for automagically renewed certificates to be automatically rebound. Well with IIS 8.5, you can 🙂

Hop into IIS, and click on your server name in the top left. On the right hand side, look at the IIS section, and select Server Certificates:

Server Certificates – new in IIS 8.5.

Double click the icon and you’ll have a list of all your available certificates (which naturally have server authentication). Select the desired certificate and then click on Enable Automatic Rebind of Renewed Certificate.

Finally… they listened.

Just don’t forget to follow these three steps:

  1. GPO, local or otherwise, to enable automatic renewal of certificates (I’ve previously blogged on this!).
  2. Set the option within the certificate template to automatically resupply the information – redistribute the template if necessary.
  3. Go into IIS, select the certificate and enable automatic rebind.

It’s all very simple, and detailed by Microsoft here and a good TechNET blog here.

For more information on renewing web certificates automatically, there is a great TechNET article here.

Thanks for reading o/



Flame on xD

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s