How do I bulk change the SSL certificate on multiple sites in IIS using powershell?

Question

I have a server with a dozen or so sites that each have HTTP and HTTPS bindings, with a couple of these sites sharing the same root domain, like so:

Name             Bindings
----             --
Site 1           www.contoso.com:80
                 www.contoso.com:443
Site 2           foobar.contoso.com:80
                 foobar.contoso.com:443
Site 3           www.example.com:80
                 www.example.com:443
etc.

Now, the SSL certificate I use, *.contoso.com, is expiring next week, so I got a new one, imported it and it is now available to IIS. To replace the certificate for each binding using the old one I now have to go to each site, go to bindings, select the :443 binding and set it to use the new certificate. Not a big issue with just one site, but I have dozens of sites all running on this certificate!

How can I easily switch all the *.contoso.com sites from the old certificate to the new one using Powershell?

I have already looked into the documentation of the IISAdministration module but I haven't been successful in finding a method that allows me to change a binding so that it uses a different certificate, and google mostly gives me solutions that include the renewal of an certificate, something I've already handled using my certificate provider's website.

^{Contoso is a placeholder name and not a real company.}

Answer 1

The above script failed to work for me, is more complex, and requires installing additional server components to use. Instead, we can directly update the existing binding.

The below, modified, code is much more concise and reduces the chance of interruptions to live sites caused by attempting to remove bindings and re-add them.

# Get the new certificaate
$cert = Get-ChildItem Cert:\LocalMachine\my | Where Subject -Like "CN=<cert subject name>" #Find cert subject name with Get-ChildItem Cert:\LocalMachine\my.

# Go through each SSL binding listed in IIS
Foreach ($Binding in Get-WebBinding -Protocol "https") {
    
    $Binding.AddSslCertificate($cert.GetCertHashString(), "my")

}

Answer 2

This should do what you're looking for using the WebAdministration module instead. I'm not able to test it out at the moment, so definitely try it out on one binding first in case I typo'd something:

First, make sure you can get the new certificate. You can filter by FriendlyName/SubjectName/Thumbprint etc. Basically, make sure that this command only returns one certificate for you:

Get-ChildItem Cert:\LocalMachine\my | Where FriendlyName -Like 'NewCertificate'

Then this script will recreate your SSL bindings using the new certificate. Try running each step manually first:

Import-Module WebAdministration

# Get the new certificaate
$cert = Get-ChildItem Cert:\LocalMachine\my | Where Subject -Like '*domain*'

# Go through each SSL binding listed in IIS
Foreach ($Binding in (Get-ChildItem IIS:\SslBindings\)) {
    
    # Remove current binding
    $Binding | Remove-Item

    # Add the binding again using the new certificate 
    # (Bindings using hostname instead of IP address use a slightly different path)
    if ($Binding.Host) {
        $cert | New-Item -path "IIS:\SslBindings\!$($binding.Port)!$($binding.Host)"
    } 
    Elseif ($Binding.IPAddress) {
        $cert | New-Item -path "IIS:\SslBindings\$($binding.IPAddress)!$($binding.Port)"
    }
}

I originally based this on Terri Donahue's post here, which has a lot more detail and explanations about the process.

Answer 3

@appleoddity

You are absolutely right. Your answer IS the correct answer. Microsoft and the technical community at large are sharing useless code that does not actually select the cert from the available drop-down in a one-to-one behavior like GUI.

I got it from here: https://lachlanbarclay.net/2022/01/updating-iis-certificates-with-powershell