Changing intermediate chain SSL certificate in IIS on Windows Server

Changing the intermediate SSL certificate of a site in IIS without reboot

Recently had to change the intermediate chain SSL certificate on a lot of sites due to the intermediate being revoked since it was not issued correctly (wrong serial number entropy). Just adding the new intermediate SSL certificate to Certificate store in Windows and removing the old one, nor an iisreset, did actually implement the change. This is the easy way I ended up changing it, without doing a reboot of the server.

As can be seen I’ve setup a lab server running IIS with a site that has an Let’s Encrypt certificate. Just for this example, We’ll switch out the Let’s Encrypt Authority X3 intermediate certificate signed by DST Root CA X3, with the new Let’s Encrypt Authority X3 intermediate certificate signed by ISRG Root X1.

First we’re adding the new intermediate SSL certificate to the Windows Certificate store.

After just adding the new certificate, and removing the old, the IIS site still presents the same old intermediate.

Even after an “iisreset” it still sticks to the old.

Now to acutally do the change, enter IIS Manager, and go to the site.

Open “Bindings”, and click “Edit” on the port with SSL.

Now in the select box called “SSL certificate”, re-choose the same SSL certificate as preiously.

Then just press OK, and close the windows. The intermediate chain of the SSL certificate has now changed to the new.