Q: Can we somehow receive automatic notifications when our Microsoft IIS server's SSL certificates are automatically renewed? Also, can we automatically rebind a renewed SSL certificate to the IIS website it protects? The Certificate Services service in Windows can automatically renew a certificate but can't automatically rebind the new certificate to the website that uses it.
A: The Certificate Services service has supported automated certificate issuance and renewal since its introduction in Windows 2000. In Windows 8 and Windows Server 2012, Microsoft introduced a new set of certificate life-cycle notification features to help you better manage user and computer certificate renewals. In Task Scheduler, you can now create certificate life-cycle notification tasks that will automatically run when certificate life-cycle events occur. For example, you can create a task that will run a Windows PowerShell script to bind a new auto-generated certificate to your website each time a new server certificate is created in the local machine certificate store.
To make this possible, Microsoft added the Notification task category for the Certificate Services Client in Task Scheduler for defining certificate life-cycle notification tasks. You can find this new task category in the Task Scheduler Library under the Microsoft\Windows\CertificateServicesClient container.
You can create a new certificate life-cycle notification task from the PowerShell command line using the New-CertificateNotificationTask cmdlet and link the execution of a script to that notification task. For example, suppose that you create a script, updatewebcert.ps1, to update the website certificate binding when there's a certificate renewal. (You can find a sample script for this purpose in the TechNet article "Certificate Services Lifecycle Notifications.") The following command creates a new task named UpdateWebCert that would run the updatewebcert.ps1 script:
- New-CertificateNotificationTask -Type Replace `
- -PSScript "c:\Scripts\updatewebcert.ps1" `
- -Name UpdateWebCert -Channel System
To view all the certificate life-cycle notification tasks that have been created on a computer, you can use the Get-CertificateNotificationTask cmdlet. To remove a certificate life-cycle notification task, you can use the Remove-CertificateNotificationTask cmdlet.
Microsoft also added two new event log containers to specifically store certificate life-cycle events. You can find these containers in the Event Viewer under Applications and Service Logs\Microsoft\Windows. The containers are named CertificateServicesClient-Lifecycle-System and CertificateServicesClient-Lifecycle-User. Each container has a subcontainer named Operational log to store the certificate events.