I have a cert set up to renew automatically, I know the date of expiration but the app that runs on the server relies on the thumbprint so I need to know exactly when it is going to pull the cert and replace for renew. Is there somewhere in the json settings that I can manually input an exact time? Also can the setting json be adjusted after the original cert was generated to have an exportable cert replaced with it? Or would that require an entire new cert to just be generated by the admin instead of a renewal.
Well, that is a lot of questions 
We moved your post to the Help section. Had you posted here first you would have been shown the form below. The answers to your questions will very much depend on your answers
==================================================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
4 Likes
This user has a prior thread saying they're using win-acme, for whatever that's worth.
That seems, odd and backwards. If you give more details on this "app" and what exactly you're trying to do with it people might be able to give you better advice.
Probably not, and it wouldn't wouldn't help you as much as you think it would. I think all there is are the Scheduled Task settings. Generally, you want your renewals to be at a random time so as to spread out the load on the CA's server (as well as your own). And you want your system to check regularly to see if a certificate needs to be renewed, sometimes a CA messes something up and needs to revoke and have you ask for a replacement earlier than one might expect.
I think you might be looking for the CertificateStore.PrivateKeyExportable setting, but you're getting well beyond my Windows server knowledge.
In general, if you have actions that you need to take when a new certificate is issued, you want to set up a custom script that executes to install the new certificate and configure whatever is needed for your setup. That way, it'll just run whenever a new certificate is needed, and you won't need to worry about the exact timing.
4 Likes
Cert renewal is a two step process:
- get/renew your certificate
- deploy your certificate to whatever uses it.
For the deploy step it depends largely on the app which will use the certificate as to how it should be applied.
For apps that are well-integrated into Windows the convention is to use the thumbprint of the cert (on windows that's a SHA1 hash of the current cert) that has previously been saved to the machine certificate store. For some other app types you need paths to actual certificate files (either as component files or a PFX archive).
For win-acme, deployments to IIS are automated (the bindings get updated automatically), but for other services you can script the update with powershell etc, like this one for exchange: https://www.win-acme.com/manual/advanced-use/examples/exchange.
How and where you update the thumbprint value varies by app, but some simple ones are just updating the port binding using netsh http. Certify The Web (which I work on) for instance has a built in deployment task (amongst many) called "Update Port Binding" which does that without additional scripting, you can achieve much the same with win-acme/simple-acme using your own script. Some apps require config or registry updates, it just depends on the app/service you are targeting.
Older apps that pre-date Let's Encrypt assume you will update the bindings manually once per year, and they can be trickier to automate.
4 Likes
I used the winacme.sh and didn't choose the automatic bindings when I generated the cert since we didn't know how it would react in our environment. It generated a date that it would renew, but not a time. I need to know if I can configure a time manually or if I should generate a new cert manually instead. Since we cannot have too much down time from the switch over. (the thumbprint is bound in IIS and the SQL DB atttached) not my doing, poor app coding.