Renew Web Server (SSL) Certificates Automatically

Working with Internet Information Services (IIS) certificates can be a bit challenging especially during renewal time. Most organizations do not track Web SSL certificates which in turn might expire and cause an unplanned outage. Those who track this information on the other hand, have to make sure certificate are renewed before their expiration period or find ways to notify the application owners of their certification expiration beforehand.

Windows Server 2008 R2 and Windows Server 2012 addresses this issue through Auto-enrollment and Certificate Templates. The Certificate Template’s design includes a new option Use subject information from existing certificates for autorenewal requests. This option allows the certificate to renew automatically, including any information in the Subject Name, or any additional information in Subject Alternate Names fields. This option is available for client certificates installed on computers running Windows 7 or Windows Server 2008 R2 and later.


The Use subject information from existing certificates for autoenrollment renewal requests option causes the certificate enrollment client to read subject name and subject alternative name information from an existing computer certificate based on the same
certificate template when creating renewal requests automatically or using the Certificates snap-in. This applies to computer certificates that are expired, revoked, or within their renewal period.

The Autoenrollment Group Policy has to be enabled for this feature to work. This feature will also work on certificates issued prior to enabling it. For example, an administrator can change the original template’s settings to include Use subject information from existing certificates for autoenrollment renewal updates after a certificate is issued because the scope of enrollment in a Microsoft PKI is the template. Autoenrollment Group Policy and this feature will allow the certificate to renew in the future without any administrative intervention when the certificate is within the renewal validity period time specified by the template – typically within 20% or less of the certificate’s validity period.

Amer F Kamal

Senior Premier Field Engineer


Comments (17)
  1. Just to close the loop on this line of inquiry, the auto-rebind feature is available in Server 2012 R2 as documented in a newer post –

    1. Dominic says:

      But no option for Server 2008 R2 / IIS 7.5 – only 2012 R2?

  2. Anonymous says:

    Amer Kamal offers a solution to a long-standing request for auto-renewing IIS web server certificates

  3. The Original Wolfman says:

    Yes I concur the process is flawed, it does successfully renew the certificate but as the digital fingerprint of the cert is renewed this has to be manually bound to the website its used on using the IIS management console. Has anyone got any bright ideas
    that might automate that final step?

  4. Lutz Hipper says:

    Hi Amer,

    thank you for your post but how does IIS pickup the new certificate for use? The other thing I want mention is, when you assign a new certificate to the website existing sessions will be disconnected and users might have to re-authenticate depending on your hosting scenario. And with auto-enrollment you can't define a maintenance Windows or predict the certificate renewal happens at a certain time window.

    How do you solve issues with certificate renewal in a web server farm using auto-enrollment?

    Might you can expand your blog post to address those questions.



  5. Bill Stites says:

    Hello Ricardo,

    I see your comment but no link to Amer's solution to Lutz's question. Can you repost?



  6. Cyrus H says:

    although the certificate can be renewal automatically, the un-planned downtime will also exist. Don't forget your IIS will not offer an “auto re-binding correct certificate” feature. After certificate expired, you will see a 501 error.

  7. Anonymous says:

    Hello All, This is Wes Hammond with Premier Field Engineering back with follow up to a previous blog

  8. R A Maurya says:

    server renew

  9. Amir says:

    How I open this option i dont know please help if anyone there.

  10. Andre Frogner says:


    Will this work With he CEP/CES service as well? Or will it only work when the server har RPC Connection to the CA?

  11. Danny . says:

    The auto rebind can also be performed via automation engines like Orchestrator. Almost everything can be administratively executed using PowerShell. With the script on hand, you can copy and paste them into Orchestrator to automate the task post trigger.
    The trigger would come from a Monitoring System looking for 20%- expiring certificate notice in event logs (event: CertificateServicesClient-Lifecycle-System and CertificateServicesClient-Lifecycle-User ). Once these events are detected, Orchestrator would
    receive a notice to start the binding process once the AD CS completed the certificate renewal.

    1. Alfonso says:


      Does the auto-renewal based on existing Cert “require” that the Autoenroll permission on CertTemplate is set as well?

  12. albersan says:

    It works perfectly! Thank you very much. Great article!

  13. tuom says:

    So how do I configure the Access Control Entries (securely) if I want to use this feature?

    If I initially manually enroll a certificate like this for a server (as a user that has been delegated permissions) with the correct Subject / SAN’s configured, can I allow, say, Domain Computers -> Autoenroll on the template and they will only be able to renew existing certificates and not enroll arbitrary new ones?

    So the combination of “Supply in the request” + “Autoenroll” for a computer account will not allow the computer account to request NEW certificates with arbitrary Subjects/SANs? That would be massively insecure, especially if you’re not using issuance requirements.

    If so, that is kind of confusing, you would think there would be a “Renew existing” ACE for this.

  14. Kris says:

    Does this auto renewal work with CES/CEP?
    If the certificate template is set up for CA manager approval, does the renewal bypass that? Or does it also require approval?
    Is there an exit module component that will give notice that certificates have been requested for renewal?
    Also, what is the general best practice for web farms? I am assuming it is to just have each node in the farm have its own private key with the same SANs so that each certificate can be renewed independently, but hoped to confirm that.

Comments are closed.

Skip to main content