Q: Our IIS web server certificates are automatically renewed using the Windows Active Directory public key infrastructure auto-enrollment and auto-renewal feature. However, we don't have a solution to automatically rebind the new certificates to the web servers' URLs. Is there a way to easily achieve this?
A: Yes, this is possible starting with IIS 8.5 (bundled with Windows Server 2012 R2). Microsoft has integrated a new Certificate Rebind feature. You can enable this feature at the server level from the Server Certificates dialog box in IIS Manager, using the Enable Automatic Rebind of Renewed Certificate option in the Actions pane.
This new feature leverages the new certificate lifecycle notification mechanism in Windows 8 and Windows Server 2012. (For more information, see "New Features Make Managing Certificate Renewals Easier.")
When you enable Automatic Certificate Rebind from IIS Manager for a given website, IIS registers a task in the system's Task Scheduler that will trigger upon a certificate-renewal event (event ID 1001) and that will automatically run an appcmd command to unbind the old certificate from the website and bind the new certificate to the website. The task is stored in the CertificateServicesClient folder of the Task Scheduler Library.