Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Replacing expiring wildcard certificate on 300 servers

Posted on 2016-08-07
4
Medium Priority
?
49 Views
Last Modified: 2016-08-26
We need to replace the expiring wildcard certificate on 300 Windows servers. Ranging from 2003 to 2012r2. Most of the servers are a member of the root domain. The others are workgroup DMZ servers. I have some scripts that allow me to copy the pfx file then install it not the store but I have not found a way to add the new certificate to existing iis bindings remotely. I don't want to have to re create the bindings since they are many sites and bindings on most servers and some use non standard ports. We do not use certificate services but we could implement if this would help. What are my options here to make this an easier process than touching 300 servers?
0
Comment
Question by:caseman22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 1000 total points (awarded by participants)
ID: 41746471
there is no easy way to do so.
IIS6 require manual intervention.
IIS7 onwards can use powershell (if you enable remote powershell)

However, if you execute remotely on IIS, you really need to know a lot on how you configure your IIS. it might call something not 'default' then the script will not work.
https://technet.microsoft.com/en-us/magazine/dn198619.aspx

This is really an environment issue and you need to multiple pass to get it right.
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points (awarded by participants)
ID: 41746720
The IIS binding has to be done and I am thinking power shell script for remote IIS binding deployment. Catch this sample and it can be tweak further for remote machine

But I do recommend testing on staging environment first. The IIS WebAdministration Powershell snap-in is for IIS 7.0 in the example though it should be applicable for higher IIS version. It needs PS 2.0 and above too

https://weblog.west-wind.com/posts/2016/Jun/23/Use-Powershell-to-bind-SSL-Certificates-to-an-IIS-Host-Header-Site

More information on
- IIS WebAdministration Powershell snap-in
http://m.windowsitpro.com/article/windows-powershell/microsoft-internet-information-services-iis-powershell-144224

- How to Install PowerShell on Windows Server 2003 and Enable Remote PowerShell Management
https://blogs.technet.microsoft.com/danstolts/2011/03/how-to-install-powershell-on-windows-server-2003-and-enable-remote-powershell-managementall-servers-should-have-this-done/
1
 
LVL 65

Expert Comment

by:btan
ID: 41764975
You can also check out certificate rebind in IIS 8.5 (not applicable for older version) to streamline the manual process

http://www.iis.net/learn/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85
0
 
LVL 65

Expert Comment

by:btan
ID: 41771437
Rebinding is required as shared by experts as it is a new certificate issued.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question