IBM Support

Renewing a Website SSL/TLS Certificate on Windows Server 2022 (IIS)

How To


Summary

This document provides a concise, operations‑ready guide for renewing SSL/TLS certificates for IIS on Windows Server 2022, covering both public Certificate Authorities and internal Microsoft AD CS scenarios, including cases where the certificate has already expired. It defines the full lifecycle—CSR creation, certificate issuance, installation, IIS binding updates, validation, and safe cleanup—and presents GUI, certutil, and PowerShell methods for every step, enabling administrators to operate effectively during routine maintenance or outage recovery. The guidance emphasizes mandatory IIS binding verification, safe handling of expired certificates, and best practices to prevent service disruptions, effectively serving as a structured instruction set for enterprise environments.

Objective

This document provides approved procedures for renewing SSL/TLS certificates used by IIS websites, including:

  • Public Certificate Authorities (Public CAs)
  • Internal Microsoft Certificate Authority (AD CS)

For every major action, the document includes:

  • GUI steps
  • certutil (command‑line) steps
  • PowerShell steps

Special handling and risks related to already expired certificates are fully integrated.

Environment

This procedure is supported for IIS‑hosted websites running on the following Microsoft Windows Server operating systems:

  • Windows Server 2022 (Primary target and fully validated)
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2 (Supported with reduced lifecycle considerations)

The instructions apply to:

  • IIS versions 8.5 and later
  • Certificates stored in Local Computer → Personal (My) certificate store
  • HTTPS bindings managed directly within IIS
  • Certificate issuance via Public Certificate Authorities or Microsoft Active Directory Certificate Services (AD CS)

Out of Scope

  • Windows client operating systems (Windows 10 / 11)
  • Non‑IIS web servers (e.g., Apache, NGINX)
  • Certificate automation tooling (e.g., ACME/Let’s Encrypt agents)
  • SSL termination handled entirely by external load balancers or CDNs (unless IIS directly presents the certificate)

Notes for Administrators

While the KB is written and validated against Windows Server 2022, all included GUI, certutil, and PowerShell procedures rely on certificate store architecture and IIS behavior that is consistent across the supported server versions listed above. Differences in UI placement may exist in older versions, but the underlying commands and concepts remain the same.

Steps

Critical Notes About Expired Certificates

If a certificate has already expired:

  • There is no grace period
  • Browsers and API clients will fail TLS negotiation
  • Most Certificate Authorities treat renewal as a certificate reissue
  • A new CSR and private key are commonly required
  • IIS will not automatically update bindings

Expired certificates behave like new certificate deployments, not routine renewals.

Option A: Public Certificate Authority (Public CA)

Use This Option When

  • The website is internet‑facing
  • The certificate issuer is a public CA (e.g., DigiCert, Sectigo, GoDaddy)

Step A1: Generate a Certificate Signing Request (CSR)

Purpose

Creates the cryptographic material and identity information required by the CA.

Note: Mandatory for expired certificates

GUI (IIS Manager)

Recommended for standard operations

  1. Open IIS Manager
  2. Select the server name
  3. Open Server Certificates
  4. Click Create Certificate Request

Settings

  • Common Name (CN): www.contoso.com
  • Provider: Microsoft RSA SChannel Cryptographic Provider
  • Key Length: 2048 or 4096

Note: Ensures the private key is stored in the Local Computer certificate store.

certutil / certreq (INF Method)

Recommended for standardized or repeatable processes

; request.inf

[Version]

Signature="$Windows NT$"

 

[NewRequest]

Subject="CN=www.contoso.com"

KeyLength=2048

MachineKeySet=TRUE

ProviderName="Microsoft RSA SChannel Cryptographic Provider"

RequestType=PKCS10

 

certreq -new request.inf request.csr

Note: Generates a CSR while securely storing the private key on the server.

PowerShell

Recommended for automation

certreq -new request.inf request.csr

Note: PowerShell serves as an orchestration layer for certreq.

Step A2: Submit CSR and Complete CA Validation

Purpose

Allows the CA to validate domain ownership and issue the renewed certificate.

Expired Certificate Impact

  • All domain validation must be repeated
  • HTTP validation may fail due to HTTPS errors
  • DNS validation is strongly recommended

Submission steps are CA‑specific and performed outside the server.

Step A3: Install the Issued Certificate

Purpose

Completes the CSR and associates the issued certificate with the existing private key.

GUI (IIS Manager)

  1. IIS Manager → Server Certificates
  2. Click Complete Certificate Request
  3. Browse to the issued certificate
  4. Store: Personal

Note: Certificate should display a key icon.

certutil

certutil -addstore my issued_certificate.cer

Note: Installs the certificate into LocalMachine\My.

PowerShell (Install and Verify)

Import-Certificate `

  -FilePath issued_certificate.cer `

  -CertStoreLocation Cert:\LocalMachine\My

 

Verify private key presence:

Get-ChildItem Cert:\LocalMachine\My |

Where-Object Subject -Like "*contoso*" |

Select Subject, HasPrivateKey, NotAfter

Note: If HasPrivateKey is False, the CSR and certificate do not match.

Step A4: Update IIS HTTPS Binding (MANDATORY)

Purpose

IIS does not automatically switch to the new certificate.

GUI (IIS Manager)

  1. Select the website
  2. Click Bindings
  3. Edit the https binding
  4. Select the new certificate
  5. Verify hostname and SNI (if applicable)

certutil (Verification Only)

certutil -store my

Note: Used to confirm thumbprint before re‑binding.

PowerShell (Recommended)

Get-WebBinding -Protocol https

Rebind certificate:

Set-WebBinding `

  -Name "Default Web Site" `

  -BindingInformation "*:443:www.contoso.com" `

  -CertificateThumbprint "<NEW_THUMBPRINT>" `

  -CertificateStoreName "My"

Note: Best option for multi‑site environments or scripted recovery.

Step A5: Validate and Clean Up

Validation

GUI

  • Browse to https://site
  • Confirm issuer and expiration date

certutil

certutil -store my

PowerShell

Get-ChildItem Cert:\LocalMachine\My |

Sort-Object NotAfter -Descending |

Select Subject, NotAfter

Safe Cleanup of Expired Certificates

Note: Expired certificates may still be bound to IIS. Do not delete blindly.

Step 1: Identify HTTPS‑bound certificates

Import-Module WebAdministration

 

$boundThumbprints = Get-WebBinding -Protocol https |

    Select-Object -ExpandProperty certificateHash

Step 2: Remove expired certificates NOT bound to IIS

Get-ChildItem Cert:\LocalMachine\My |

Where-Object {

    $.NotAfter -lt (Get-Date) -and

    $.Thumbprint -notin $boundThumbprints

} |

Remove-Item -Confirm

Note: Production‑safe cleanup approach.

Option B: Internal Microsoft CA (AD CS)

Use This Option When

  • Certificate issued by enterprise PKI
  • Server is domain‑joined
  • AD CS manages certificate issuance

Step B1: Identify Existing Certificate

GUI

  • mmc → Certificates (Local Computer) → Personal → Certificates

certutil

certutil -store my

PowerShell

Get-ChildItem Cert:\LocalMachine\My |

Select Subject, NotAfter

Step B2: Renew or Reissue Certificate

Scenario 1: Certificate NOT Yet Expired

GUI

  • Right‑click certificate → All Tasks → Renew Certificate

certutil

certutil -renewCert ReuseKeys

PowerShell

certreq -renew

Note: Reuses existing template and permissions.

Scenario 2: Certificate IS Expired

Note: Renewal may not be allowed so you will need to request a new certificate

 

GUI

  • Certificates → Request New Certificate
  • Select original template

certutil (Auto‑enrollment)

certutil -pulse

PowerShell

Get-Certificate `

  -Template WebServer `

  -CertStoreLocation Cert:\LocalMachine\My

Step B3: Verify IIS Binding Uses Renewed Certificate

GUI

  • Site → Bindings → https

certutil

certutil -store my

PowerShell

Get-WebBinding -Protocol https |

Select bindingInformation, certificateHash

Step B4: Validate and Clean Up

Validation and cleanup steps are identical to Option A.

Additional Considerations for Expired Certificates

  • Application pools or services may require restart (iisreset)
  • Load balancers may still present an expired certificate
  • Certificate thumbprint changes may break automation

 

Additional Information

Best Practices

  • Renew certificates 30–45 days before expiration
  • Monitor expiration via PowerShell or monitoring tools
  • Prefer DNS validation for public CAs
  • Always validate IIS bindings post‑renewal

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSTIPK","label":"Microsoft Windows"},"ARM Category":[{"code":"a8mKe000000004NIAQ","label":"Windows"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
04 May 2026

UID

ibm17271620

Page Feedback