Updating multiple site bindings in IIS with new SSL-certificate

This blog post describes how to use a PowerShell script to update multiple IIS site bindings with a new/renewed SSL/TLS sertificate. But first, some background information on why and when this may be useful.

Example scenario for using multiple site bindings

A site binding in IIS may be configured with a host name. IIS will then use the host header in the HTTP request to route a requests to the correct web site. With Server Name Indication (SNI) enabled, multiple sites and host names can share the same port for incoming SSL/TSL requests.

IIS site binding with host name and SNI configured
When hosting web applications on template-based virtual machines, it may be useful to configure multiple bindings for each hosted application. For instance, imagine that you have a web application hosted at https://myportal.mycompany.com and that you add multiple host name bindings to this web site, eg. by appending the numbers 1-10 to “myportal” or by appending tag names like “-qa”, “-preprod”, “-failover”, etc. The web site will then be able to process any requests with a matching host name, given that the DNS records point to the virtual machine.

Multiple hosts names configured for a site
Next, consider that we have multiple virtual machines running the same application, all having the same IIS binding configuration. The machines may have different roles and may be running different versions of the application, or they may be identical clones placed behind a load balancer for scale out.

PowerShell script for updating multiple site bindings with new certificate

The following powershell script updates certificates for all bindings matching the domainNameMatchPattern regex pattern. The script has been designed to be an Octopus Deploy script module and reads the certificate friendly name to use from an Octopus Deploy variable. The certificate must exist in Octopus Deploy’s certificate store.

The script consists of the helper function AssignCertificate and the main function Update-Certificates which will be invoked from a Octopus Deploy project step.

Add the script as a Octopus Deploy script module
The script module can then be invoked from a Octopus Deploy project by using a “Run a script” step:

Invoke the Update-Certificate function located in the previously created script module
The previous step assumes that the new certificate already has been installed on the relevant hosts. Otherwise, the “Import Certificate” Octopus Deploy step template can be used to install certificates to the hosts.