Built for Reporting Services
The pre-built SSRS deployment template ships in your CertKit account. No scripting required.
A report server holds SSL certificate bindings for two applications, the Web Service and the Web Portal, both registered against one certificate thumbprint through HTTP.SYS. When the certificate renews, the thumbprint changes but the bindings don't, so SSRS keeps serving the old certificate until someone rebinds both applications and restarts the service. Every 47 days. On every report server you run.
CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your report servers via the CertKit Agent, rebinds the Web Service and Web Portal through the ReportServer WMI provider, and restarts the service.
The pre-built SSRS deployment template ships in your CertKit account. No scripting required.
The CertKit Agent imports the renewed PFX, snapshots every SSL binding on the HTTPS port through the ReportServer WMI provider, removes them, recreates each one against the new thumbprint, and restarts the service. No Report Server Configuration Manager clicking, no missed Web Portal binding, no report links that suddenly warn about an expired certificate.
The same template covers SSRS 2016 and later and Power BI Report Server. Set the instance name once. CertKit handles every renewal after that.
The manual process, if you want to do it yourself:
Every one of these steps is manual, and Reporting Services won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every report server. Miss one and every dashboard, subscription, and embedded report link starts throwing certificate warnings.
At 47 days, automation is the only sustainable way to run SSRS certificates. Here's how CertKit does it.
Your report server CertKit ACME CA ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ │ │ │ │ │ │ ┌───────────────┐ │ Issue & Renew │◄──►│ │ │ │ CertKit Agent │◄──┤ Certificates │ │ │ │ └─────────┬─┬───┘ │ ┌───┐ └─────────────┘ │ │ │ │ └───────────┬────│DNS│ │ Cert store ◄─┘ │ │ │ └───┘ │ [x] Updated │ │ │ │ │ │ │ │ SSRS bindings ◄─┘ │ ◄───────────────┘ │ [x] Rebound │ Verify └───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your report servers never run an ACME client and never hold DNS credentials. The agent imports the certificate and rebinds Reporting Services through the WMI provider locally.
CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.
Richard Hicks, Consultant and Microsoft MVP
Reporting Services doesn't serve whatever certificate is in the store. Its bindings are HTTP.SYS reservations registered per application against a specific thumbprint, and two applications share the same port. A renewed certificate sits in the store unused while both bindings point at the old thumbprint, and a half-updated pair leaves a stale reservation that blocks the next change with a binding error.
Scripting around it is its own project. The ReportServer WMI namespace is versioned per release, a property name in the binding list changed between versions, the thumbprint must be lowercase with no separators, and the service name differs across SSRS generations and Power BI Report Server. We built and tested the deployment against all of it so you don't have to. CertKit issues the certificate via delegated DNS validation, then the agent handles the import, the rebind of both applications, and the restart as one verified step, with no ACME client on the server.
Most Windows environments have more than one place where certificates live: SQL Server itself, IIS, Exchange, Network Policy Server, and RRAS. CertKit automates all of it from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.