← Integrations

Automated SSL certificate renewal for SQL Server Reporting Services (SSRS)

SSRS pins its HTTPS bindings to a certificate thumbprint. CertKit keeps them current.

A report server holds SSL certificate bindings for two applications, the Web Service and the Web Portal, both registered against one certificate thumbprint through HTTP.SYS. When the certificate renews, the thumbprint changes but the bindings don't, so SSRS keeps serving the old certificate until someone rebinds both applications and restarts the service. Every 47 days. On every report server you run.

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your report servers via the CertKit Agent, rebinds the Web Service and Web Portal through the ReportServer WMI provider, and restarts the service.

Start free trial Watch demo

Built for Reporting Services

The pre-built SSRS deployment template ships in your CertKit account. No scripting required.

The CertKit Agent imports the renewed PFX, snapshots every SSL binding on the HTTPS port through the ReportServer WMI provider, removes them, recreates each one against the new thumbprint, and restarts the service. No Report Server Configuration Manager clicking, no missed Web Portal binding, no report links that suddenly warn about an expired certificate.

The same template covers SSRS 2016 and later and Power BI Report Server. Set the instance name once. CertKit handles every renewal after that.

How to install an SSL certificate on SSRS

The manual process, if you want to do it yourself:

  1. Get a certificate for the report server's hostname. The name users type to reach the Web Portal. A wildcard certificate works.
  2. Import the PFX into the computer store. Local Machine → Personal, with the private key. Land it anywhere else and the certificate won't show in the Configuration Manager dropdown at all.
  3. Rebind the Web Service URL. In Report Server Configuration Manager, open Web Service URL and select the new certificate on the HTTPS binding.
  4. Rebind the Web Portal URL too. The portal holds its own binding on the same port. Change one and not the other and the leftover reservation is where "create certificate binding" errors come from.
  5. Restart and verify. Restart the Report Server service, browse the portal, and confirm the new certificate. Then remove the old one and repeat on every SSRS and Power BI Report Server instance.

Every one of these steps is manual, and Reporting Services won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every report server. Miss one and every dashboard, subscription, and embedded report link starts throwing certificate warnings.

At 47 days, automation is the only sustainable way to run SSRS certificates. Here's how CertKit does it.

How it works

 Your report server        CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│                   │     │                  │    │             │
│     ┌───────────────┐   │  Issue & Renew   │◄──►│             │
│     │ CertKit Agent │◄──┤   Certificates   │    │             │
│     └─────────┬─┬───┘   │                ┌───┐  └─────────────┘
│               │ │ │     └───────────┬────│DNS│
│ Cert store  ◄─┘ │ │                 │    └───┘
│ [x] Updated     │ │                 │
│                 │ │                 │
│ SSRS bindings ◄─┘ │ ◄───────────────┘
│ [x] Rebound       │       Verify
└───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your report servers never run an ACME client and never hold DNS credentials. The agent imports the certificate and rebinds Reporting Services through the WMI provider locally.

CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.

Richard Hicks, Consultant and Microsoft MVP

What CertKit handles

Setup takes about ten minutes

  1. Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
  2. Configure HTTPS once in Report Server Configuration Manager. Bind your current certificate to the Web Service and Web Portal URLs. CertKit keeps those bindings renewed from then on.
  3. Install the CertKit Agent on the report server. One command on the Windows Server running Reporting Services. The agent runs as a Windows service and needs no inbound firewall rules.
  4. Add the SSRS deployment script. The pre-built template is in your account. Set the instance name (SSRS, MSSQLSERVER, or PBIRS) and the HTTPS port. CertKit runs it on every renewal.

See the full architecture →

Why importing the certificate isn't enough

Reporting Services doesn't serve whatever certificate is in the store. Its bindings are HTTP.SYS reservations registered per application against a specific thumbprint, and two applications share the same port. A renewed certificate sits in the store unused while both bindings point at the old thumbprint, and a half-updated pair leaves a stale reservation that blocks the next change with a binding error.

Scripting around it is its own project. The ReportServer WMI namespace is versioned per release, a property name in the binding list changed between versions, the thumbprint must be lowercase with no separators, and the service name differs across SSRS generations and Power BI Report Server. We built and tested the deployment against all of it so you don't have to. CertKit issues the certificate via delegated DNS validation, then the agent handles the import, the rebind of both applications, and the restart as one verified step, with no ACME client on the server.

SSRS is just one part of your Windows stack

Most Windows environments have more than one place where certificates live: SQL Server itself, IIS, Exchange, Network Policy Server, and RRAS. CertKit automates all of it from one account.

See all integrations

Start automating SSRS certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing