Safe way to update SSL bindingsRSS

1 reply

Last post Mar 08, 2019 04:25 AM by lextm

  • Safe way to update SSL bindings

    Mar 07, 2019 10:19 PM|antigenx|LINK

    I have to update the certificates on a number of servers and I'm looking for a way to script the process.

    I found this guide but I'm not too keen on the whole delete/re-create approach to solving this problem.

    My main concern is updating both IIS and non-IIS bindings. 

    Get-ChildItem IIS:\SslBindings seems to list all bindings, even the service related ones.

    This seems to work to update the certificate on the binding objects (for IIS bindings at least):

    Get-ChildItem IIS:\SslBindings | Where-Object -Property Thumbprint -eq $oldCert | ForEach-Object -Process { Set-ItemProperty -Path $_.PSPath -Name Thumbprint -Value $newCert }

    The servers have bindings for both IIS sites, and non-IIS sites (ie, services that listen on non-standard ports and have our certificate bound to them) and I need to update both types. Historically, we've updated the non-IIS bindings through netsh, with a similar delete/recreate model, and I'm really hoping to do away with that in favour of updating existing bindings instead.

    I'm worried that there is a downside to this approach that I have not considered, any thoughts or advice on best practice is very welcome.

  • Re: Safe way to update SSL bindings

    Mar 08, 2019 04:25 AM|lextm|LINK

    `netsh` applies to all (IIS or non-IIS), so why cannot you simply use that? "IIS:\SslBindings" should be avoided whenever you can use IISAdministration, 

    Lex Li
    IIS Consulting Services at
    This posting is provided "AS IS" with no warranties, and confers no rights.