Automated SSL certificate renewal for IIS

IIS won't update a renewed certificate on its own. CertKit will.

IIS binds to a specific certificate thumbprint in the Windows Certificate Store. When a certificate renews, the thumbprint changes, but IIS keeps serving the old one until someone manually imports the new PFX and updates every affected binding. Every 47 days. On every server in your fleet.

CertKit centralizes certificate issuance and renewal, then pushes updated certificates to your IIS servers automatically via the CertKit Agent.

Start free trial Watch demo

How it works

 Your IIS server          CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│                   │     │                  │    │             │
│     ┌───────────────┐   │  Issue & Renew   │◄──►│             │
│     │ CertKit Agent │◄──┤   Certificates   │    │             │
│     └─────────┬─┬───┘   │                ┌───┐  └─────────────┘
│               │ │ │     └───────────┬────│DNS│
│ Cert store  ◄─┘ │ │                 │    └───┘
│ [x] Updated     │ │                 │
│                 │ │                 │
│ IIS binding ◄───┘ │ ◄───────────────┘
│ [x] Updated       │       Verify
└───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your IIS servers do not run ACME, no open ports, no DNS credentials. They just run the agent.

CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.

Richard Hicks, Consultant and Microsoft MVP

IIS deployment script

# IIS — SSL/TLS Certificate Binding Update
#
# Updates the IIS HTTPS binding to use a renewed certificate.
# The CertKit Agent imports the renewed PFX into the Windows
# Certificate Store before this script runs, so this script
# only needs to bind the new thumbprint to the configured site.
#
# Injected variables (set by CertKit Agent):
#   $site       - Name of the IIS site to update
#   $port       - HTTPS port to bind (e.g. 443)
#   $thumbprint - SHA1 thumbprint of the renewed certificate
#
# Prerequisites:
#   - PowerShell 5.1+ (Windows Server 2012 R2+)
#   - IIS WebAdministration module
#   - Service account with permission to modify IIS bindings

The complete deployment script ships in your CertKit account.

The CertKit Agent writes the PFX to disk and runs the deployment script automatically. It imports the certificate into the Windows Certificate Store, updates the IIS site binding to the new thumbprint, and removes the old certificate.

The pre-built IIS template ships with your CertKit account. Configure the site name once. CertKit handles every renewal after that.

What CertKit handles

Issue certificates via ACME, centrally. Your IIS servers have no ACME configuration, no open ports, no credentials to manage. One CNAME record is all they contribute.
Renew automatically before expiry. That one-time CNAME covers every renewal challenge going forward. No intervention required on any server.
Import the PFX and update every binding. The CertKit Agent imports the renewed certificate into the Windows Certificate Store and updates all configured IIS site bindings to the new thumbprint.
Remove old certificates. Previous CertKit-managed certificates are cleaned from the store automatically. No accumulation of stale certificates over time.
Verify the deployment, not just the script. After each renewal, CertKit connects to your server and confirms the new certificate is actually being served. It checks the serial number, SANs, and expiry. If something is wrong, you find out before your users do.
Alert on failure. Deployment failures, verification mismatches, and upcoming expirations all generate alerts before they become incidents.
Audit every change. Every issuance, renewal, and deployment is logged with timestamp, certificate, and server. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Install the CertKit Agent. One command on your IIS server. The agent runs as a Windows service and needs no inbound firewall rules.
Add the IIS deployment script. The pre-built template is in your account. Set your site name and save. CertKit runs it on every renewal.

See the full architecture →

Why not MMC or certreq?

The standard IIS renewal workflow involves exporting a CSR from IIS Manager, submitting it to a CA, importing the signed certificate, and updating each site binding by hand. That process works once. Run it manually on a fleet of servers every 47 days and it becomes a source of outages.

certreq and Windows ACME Simple (WACS) both run per-server, which means ACME credentials or HTTP-01 validation on every machine. In private networks and hardened environments that isn't an option. When multiple IIS instances share a certificate, there is no standard distribution mechanism. The common answer is a shared folder, which is a dependency that fails silently.

CertKit uses delegated DNS validation handled centrally, so no server needs port 80 open or ACME credentials on disk. It issues once and the agent handles distribution. There is no per-server ACME configuration to manage and no shared folder to maintain.

IIS is just one part of your Windows stack

Most Windows environments have more than one place where certificates live: Exchange, RDS, AD FS, SQL Server, and Palo Alto appliances. CertKit automates all of it from one account.

See all integrations

Start automating IIS certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing