Manage IIS bindings

Create or update bindings in IIS

Plugin type Installation
Download Built-in
Compatibility Windows (admin only)

Description

Http binding update algorithm

  • Existing https bindings in any web site linked to the previous certificate are updated to use the new certificate.
  • Hosts names which are determined to not yet have been covered by any existing binding, will be processed further.
    • All existing https bindings in source site whose hostnames match with the new certificate are updated to use the new certificate. This happens even if they are using certificates issued by other authorities. (Note that if you want to prevent this from happening, you can use the ‑‑excludebindings switch).
    • If no existing https binding can be found, a new binding is created.
      • It will create bindings on the specified installation site and fall back to the source site if there is none.
      • It will use port 443 on IP * unless different values are specified with the ‑‑sslport and/or ‑‑sslipaddress switches.
    • New bindings will be created or updated for matching host headers with the most specific match. E.g. if you generate a certificate for a.b.c.com, the order of preference for the binding creation/change will be:
      1. a.b.c.com
      2. *.b.c.com
      3. *.c.com
      4. *.com
      5. * (Default/empty binding)
    • If the certificate contains a wildcard domain, the order of preference will be:
      1. *.a.b.c.com
      2. x.a.b.c.com
    • In both cases, the first preferred option will be created from scratch if none of the later options are available.
    • In some cases the plugin will not be able to (safely) add a new binding on older versions of IIS, e.g. due to lack of support for SNI and/or wildcard bindings. In that case the user will have to create them manually. Note that renewals will be automatic after this initial manual setup.

Ftp binding update algorithm

  • Any existing FTP sites linked to the previous certificate are updated to use the new certificate.
  • If the Default FTP settings refer to the previous certificate, the defaults are updated to the new certificate.
  • The target FTP site will be updated to use the new certificate. If no target is specified, the source site is considered to be the target.

Installing to multiple sites

Due to the logic described above, it’s never required to configure the IIS installation step more than once to ensure succesful renewal of all bindings, regardless of how many different sites you have. However, if you have a complicated scenario, you may need to manually tune the bindings to your wishes after the initial run.

Command line

--installation iis Activates the plugin
‑‑installationsiteid Specify site to install new bindings to. Defaults to the source if that is an IIS site.
‑‑sslport Port number to use for newly created HTTPS bindings. Defaults to 443.
‑‑sslipaddress IP address to use for newly created HTTPS bindings. Defaults to *.

Examples

Typical --installation iis [‑‑installationsiteid 14] [‑‑sslport 8443] [‑‑sslipaddress 192.168.0.1]

JSON

ID ea6a5be3-f8de-4d27-a6bd-750b619b2ee2

Looking for win-acme?

simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.