What is easiest way to automate cert renewal?

Windows Server 2012 R2
IIS 8.5

I recently updated our website to SSL (yay!) but I did it manually using the instructions on https://zerossl.com/usage.html and created batch files to do the work. Used OpenSSL 1.1.0e 16 Feb 2017 to generate keys and also to convert cert to the Microsoft-required pkcs12 format. Then I imported the cert into the cert store and bound it to the public website. Success!

Now after a manual renewal where I basically did the same thing as above, but deleted the old cert from the store, I want to automate the process. What would be the easiest way for me to do this? I could use Windows Task Scheduler to run the batch files, but I don’t know how to automate the cert import into the store and removal of the old one (because I don’t want a thousand old certs staying in there after years.)

I could use the win-simple client or perhaps the Certify client but I would have to go through a full test cycle since I’ve never used either and don’t know how they work or what “weirdnesses” they might exhibit on my server. Because Windows.


If you used Windows binaries, they are actually self-sufficient and using OpenSSL is optional - the client can both generate the keys and it also supports export to PFX (starting from v0.25, the usage page mentions that in “PFX/P12 support” section). You could basically create a command/batch file as described in the “Certificate renewal - automation” and indeed run it from the scheduler. As for importing PFX automatically into the store, that is doable - there is a link given in “PFX/P12 support” to how that can be done with certutil.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.