This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 65%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
End goal - I want to automate certificate renewal and rebind in IIS, using certificates from an Azure Key Vault. i.e. When a cert is renewed in the key vault, the cert should get pushed/pulled to the VM, then the IIS binding should swap to the newer certificate.
I've already setup and tested the Azure Key Vault VM Extension to watch a particular certificate, and I've enabled Automatic Rebind of Renewed Certificate in IIS.
The problem is that when the Key Vault VM Extension pulls over a newer version of the certificate, it's not writing the expected event 1001 (or any event) to the Event Log watched by the Task created by Automatic Rebind.
Am I missing something here? Or is there a better way to accomplish this goal?
Documentation I'm basing my goal on:
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85
@Bollwerk, Pete
Thank you for your post!
From the Key Vault side of things, the updates/activities performed by the Azure Key Vault VM Extension should be logged within the below logs and config paths. The most recent status of the certificate download can also be found at C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\...
WindowsAzure\Logs\Plugins? Additional Link:
Best practices for Key Vault + IIS - Related issue
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Hello James,
I appreciate the reply.
I am aware that the extension writes to those various log files.
The problem here is that the Automatic Rebind process that's baked into IIS creates a Scheduled Task that watches Event Logs for a specific event ID number.
I did not create the Scheduled Task myself, and I have no idea how I would edit it to watch in real time for specific lines in a log file, without triggering repeatedly on events that already happened in the past in the same log file. There isn't even an option to watch a log file with a Scheduled Task.
Maybe we need someone more familiar with IIS to offer advice?
I can open a ticket, but I really feel like this process needs to be publicly documented.
II can't be the first person trying to automate IIS cert rebinds using a key vault.
Based on the response you gave to someone else a year ago here - https://learn.microsoft.com/en-us/answers/questions/677497/best-practices-for-key-vault-iis.html - it seems like we need the key vault extension team and the IIS team to get together and connect the two processes here:
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85
Microsoft "owns" both of these processes, so from a customer perspective, it's up to folks at Microsoft to provide a documented process to make this work. I don't think it behooves Microsoft to have customers open a ticket for something that really should be publicly documented somewhere.
I'm honestly amazed that a VM Extension created by Microsoft doesn't write to the Windows Event Log (or have an option to enable this).
Even third party software can write to Windows Event Logs.
Why not add this functionality to the Extension, particularly since this extension is only supported for Windows OS?
I would suggest reaching out to the folks that write the code for the extension and ask them to add code to write events to Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
@Bollwerk, Pete
Thank you for the detailed and quick response on this!
I've passed this info to our Key Vault engineering team to see if they can take a look into this issue and will update as soon as possible.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 76%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAQ%3C/text%3E%3C/svg%3E)
Azure KeyVault VM extension now supports writing events to log and hence new certificate would be automatically updated.
Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
Yes, I can confirm this is the case now. I had a ticket open with MS for many months while they worked on updating the extension to write the correct event to the log. My testing has confirmed that this process now works as expected.
Thanks!
@Bollwerk, Pete
Thank you for your time and patience on this issue!
I received a response from our Key Vault engineering team and when it comes to IIS automatic rebinding, the Key Vault VM Extension doesn't support this because it requires Certificate Services Lifecycle Notifications, and the KV VM extension doesn't write a certificate-renewal event (event ID 1001) whenever a new version comes.
Due to the KV VM extension not writing a certificate-renewal event, you should be able to leverage the linkOnRenewal property within the Key Vault VM Extension schema. Upon installation, when the linkOnRenewal property is set to true, the previous version of a certificate is chained to its successor via the CERT_RENEWAL_PROP_ID (certificate extension property). This chaining enables S-channel to pick up the most recent/farthest valid certificate with a matching SAN. This feature enables auto-rotation of SSL certificates, without necessitating a re-deployment or binding.
Note: Please make sure you set the SAN, and the KV VM Extension links the certificate strictly by SAN. This feature doesn’t require re-binding. You might see the binding in IIS still pointing to the older version, but IIS will auto pick up the latest version via S-channel.
"properties": {
"publisher": "Microsoft.Azure.KeyVault",
"type": "KeyVaultForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": <string specifying polling interval in seconds, e.g: "3600">,
"certificateStoreName": <certificate store name, e.g.: "MY">,
"linkOnRenewal": <Only Windows. This feature ensures s-channel binding when certificate renews, without necessitating a re-deployment. e.g.: false>,
"certificateStoreLocation": <certificate store location, currently it works locally only e.g.: "LocalMachine">,
"requireInitialSync": <initial synchronization of certificates e..g: true>,
"observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: "https://myvault.vault.azure.net/secrets/mycertificate"
}
When it comes to the KV VM extension writing events to the Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational log, I noticed that you leveraged our User Voice forum and created a feature request - I've also created an internal feature request, so our engineering team can look into implementing this.
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@Bollwerk, Pete
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Thanks for this. I just returned from vacation, so I need some time to figure out how to implement and test this.
Honestly, I feel like this feature needs to be easier to implement in IIS.
UPDATE 2 - I spoke too soon with my previous update apparently. The website is now serving the newer cert. However, the binding in IIS still links to the old cert. This is problematic, as it makes things rather confusing when we need to verify or cleanup old certs. Is it possible to have the binding in IIS switch automatically to the newer certificate?
Background - we have some websites that add new domains on a regular basis, as we acquire other companies. This means we have some certificates where we add new SANs every few weeks. Ideally, we want to keep only the most recent version of a certificate on a server, with IIS binding to the new version of the cert each time it's updated/replaced, and we can safely delete the older cert from the store.
@Bollwerk, Pete
I hope you enjoyed your vacation and thank you for following up on this!
I'm glad that your IIS server updated to the newer certificate version via the s-channel, and because the binding in IIS is still linking to the older certificate, you can look into using a custom script extension to update your IIS configuration. For more info. However, since automatic re-binding isn't supported through the Key Vault extension, you can also raise an issue with the windows-server-iis community, so their experts can look into this as well.
I've passed along your feedback and shared this issue to our Key Vault product group and will update here if I receive anything from their end.
I hope this helps!
If you have any other questions, please let me know.
Well, a custom script extension would mean I have to write an entire script to accomplish what I want. The script you linked to is not adequate, because we have multiple websites on a single VM and we have to detect which cert is being updated and swapped. That script also seems to be for an initial setup of a very basic website, not for the renewal/replacement of a certificate. I also don't see any way in the custom script extension to tell it to trigger based on a certificate being updated/renewed by the key vault extension. A custom script extension appears to only run once. It's not a task that can be trigged by definable conditions. You can force it to run the same script(s) again by editing the timestamp manually, but that's not a viable solution here.
I'm honestly amazed that Microsoft doesn't have a documented best practice for accomplishing this. It's like half of a solution was engineered with no thought of the other half.
BTW, this issue is already tagged with https://learn.microsoft.com/en-us/answers/topics/608348/windows-server-iis.html
I may have no alternative at this point but to open a ticket in Azure.
@Bollwerk, Pete
Thank you for your time and patience throughout this issue!
I talked to the Key Vault VM Extension team, and when it comes to the binding in IIS still linking to the older certificate, this'll need to be handled by the IIS Team. The Azure Key Vault Extension's linkOnRenewal property updates the IIS binding - this may not be reflected within the IIS viewer, but IIS will automatically pick up the latest version via S-channel.
If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Can you get someone from the IIS team to comment here? =)
@Bollwerk, Pete
Thank you for following up on this!
I looked into your support request, and it looks like one of our Support Engineers from the IIS team is currently looking into your issue. I also did some more research, and I wasn't able to find a way to automate your issue, but to hopefully help troubleshoot your binding in IIS still linking to the old cert, you can try renewing manually via MMC to see if that helps resolve your issue.
For more info:
Key vault extension not setting CertificateServicesClient-Lifecycle-System 1001
Event ID1001 CertificateServicesClient-Lifecycle-System/Operational
I hope this helps and thank you again for your time and patience throughout this issue.
I'm not sure what you mean by "renewing manually via MMC". We don't renew/update the certificates using the MMC Certificate snap-in, so that's a non-starter.
I'm able to manually change the binding in IIS to the new certificate. However, the issue is specifically how to automate this process. I suppose I'll have to wait until the IIS team gets back to me on my open ticket.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 66%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED3%3C/text%3E%3C/svg%3E)
Hey Pete, I'm unfortunately experiencing the same issue as you are. Did you get a response from the IIS team?
IIS rebinding works, but the GUI shows that an older version of that certificate is being used. The old certificates in IIS are all pointing to the latest version of the certificate so it doesn't matter which one is selected. If you delete the old/expired versions of that certificate from the certificate store, IIS binding GUI will show it as "none", but the website is working fine and using the latest version of the cert. It doesn't make sense and it's really confusing when you have thousands of sites with different certificates.
We also need a way to automatically "clean up" old versions of certificates automatically from KeyVault and from the local certificate store. It doesn't feel like a complete solution right now, cert is automatically renewed and replicated but the old versions are still available for some reason. Do they get cleaned up automatically when they expire?