• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 53
  • Last Modified:

Replacing expiring wildcard certificate on 300 servers

We need to replace the expiring wildcard certificate on 300 Windows servers. Ranging from 2003 to 2012r2. Most of the servers are a member of the root domain. The others are workgroup DMZ servers. I have some scripts that allow me to copy the pfx file then install it not the store but I have not found a way to add the new certificate to existing iis bindings remotely. I don't want to have to re create the bindings since they are many sites and bindings on most servers and some use non standard ports. We do not use certificate services but we could implement if this would help. What are my options here to make this an easier process than touching 300 servers?
0
caseman22
Asked:
caseman22
  • 3
2 Solutions
 
Jian An LimCommented:
there is no easy way to do so.
IIS6 require manual intervention.
IIS7 onwards can use powershell (if you enable remote powershell)

However, if you execute remotely on IIS, you really need to know a lot on how you configure your IIS. it might call something not 'default' then the script will not work.
https://technet.microsoft.com/en-us/magazine/dn198619.aspx

This is really an environment issue and you need to multiple pass to get it right.
0
 
btanExec ConsultantCommented:
The IIS binding has to be done and I am thinking power shell script for remote IIS binding deployment. Catch this sample and it can be tweak further for remote machine

But I do recommend testing on staging environment first. The IIS WebAdministration Powershell snap-in is for IIS 7.0 in the example though it should be applicable for higher IIS version. It needs PS 2.0 and above too

https://weblog.west-wind.com/posts/2016/Jun/23/Use-Powershell-to-bind-SSL-Certificates-to-an-IIS-Host-Header-Site

More information on
- IIS WebAdministration Powershell snap-in
http://m.windowsitpro.com/article/windows-powershell/microsoft-internet-information-services-iis-powershell-144224

- How to Install PowerShell on Windows Server 2003 and Enable Remote PowerShell Management
https://blogs.technet.microsoft.com/danstolts/2011/03/how-to-install-powershell-on-windows-server-2003-and-enable-remote-powershell-managementall-servers-should-have-this-done/
1
 
btanExec ConsultantCommented:
You can also check out certificate rebind in IIS 8.5 (not applicable for older version) to streamline the manual process

http://www.iis.net/learn/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85
0
 
btanExec ConsultantCommented:
Rebinding is required as shared by experts as it is a new certificate issued.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now