✅ What We'll Build:
A complete automated PowerShell script to:
- Auto-detect expiring SSRS certs (based on threshold, e.g. 30 days)
- Find a new certificate automatically (newer version or renewed cert)
- Rebind the new cert to SSRS's HTTPS listener (port 443)
- Restart SSRS and optionally log the whole operation
- Include logging, email alerts, and support for scheduled tasks
✅ Assumptions
- Certificates are auto-renewed or manually renewed in LocalMachine\My
- SSRS uses port 443 and HTTP.SYS
- You can run this as a scheduled task or manually
- You'll provide SMTP settings for email alerts (optional)
✅ Full Script: SSRS Cert Auto-Renew + Rebind + Logging + Email
# SSRS SSL Auto-Renew + Rebind Script # Author: PowerShell Engineer GPT # Version: 2.0 # Purpose: Automatically detect and rebind new SSL certificates to SSRS, with logging and optional email alerts
# ----------------------- # CONFIGURATION # -----------------------
# General settings $ipport = "0.0.0.0:443" $ssrsServiceName = "SQLServerReportingServices" $certFriendlyName = "mycompany.com" # Match partial Subject Name of the SSRS SSL cert $daysToExpireThreshold = 30 # Days before expiration to trigger rebind
# Logging settings $logFilePath = "C:\Logs\SSRS_SSL_AutoRebind.log" $logRetentionDays = 90
# Email alert settings (optional) $sendEmailAlerts = $false $smtpServer = "smtp.yourdomain.com" $smtpPort = 587 $smtpFrom = "ssrs-monitor@yourdomain.com" $smtpTo = "admin@yourdomain.com" $smtpSubject = "SSRS SSL Rebind Performed" $smtpCredential = Get-Credential -Message "Enter SMTP Credentials" -UserName "smtpuser"
# ----------------------- # LOGGING FUNCTION # ----------------------- function Write-Log { param ( [string]$message, [string]$level = "INFO" ) $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" $entry = "$timestamp [$level] $message" Write-Host $entry Add-Content -Path $logFilePath -Value $entry }
# ----------------------- # EMAIL ALERT FUNCTION # ----------------------- function Send-EmailAlert { param ([string]$message) if (-not $sendEmailAlerts) { return }
Send-MailMessage -From $smtpFrom -To $smtpTo -Subject $smtpSubject ` -Body $message -SmtpServer $smtpServer -Port $smtpPort ` -Credential $smtpCredential -UseSsl }
# ----------------------- # MAIN SCRIPT # ----------------------- Write-Log "========= Starting SSRS SSL Auto-Rebind Script ========="
# Clean up old logs Get-ChildItem -Path (Split-Path $logFilePath) -Filter *.log | Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-$logRetentionDays) } | Remove-Item -Force
# Step 1: Get current binding and appid Write-Log "Checking existing SSL bindings..." $bindings = netsh http show sslcert $appidRegex = '{[0-9a-fA-F-]+}' if ($bindings -match $appidRegex) { $appid = $Matches[0] Write-Log "Existing AppID found: $appid" } else { $appid = [guid]::NewGuid().Guid Write-Log "No existing AppID found. Generated new AppID: $appid" }
# Step 2: Find the current SSRS SSL certificate Write-Log "Searching for current certificate with [$certFriendlyName]..." $currentCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*$certFriendlyName*" } | Sort-Object NotAfter -Descending | Select-Object -First 1
if ($null -eq $currentCert) { Write-Log "No current certificate found! Exiting." "ERROR" Send-EmailAlert "SSRS SSL Auto-Rebind FAILED! No current certificate found!" exit 1 }
Write-Log "Current Cert Subject: $($currentCert.Subject)" Write-Log "Current Cert Thumbprint: $($currentCert.Thumbprint)" Write-Log "Current Cert Expiry: $($currentCert.NotAfter)"
# Step 3: Check expiration $daysRemaining = ($currentCert.NotAfter - (Get-Date)).Days Write-Log "Days remaining until cert expires: $daysRemaining"
if ($daysRemaining -gt $daysToExpireThreshold) { Write-Log "Cert is valid for more than $daysToExpireThreshold days. No rebind needed." exit 0 }
Write-Log "Cert expiring soon (within $daysToExpireThreshold days)! Searching for newer cert..."
# Step 4: Find newer certificate (later expiration) $newCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*$certFriendlyName*" -and $_.NotAfter -gt $currentCert.NotAfter } | Sort-Object NotAfter -Descending | Select-Object -First 1
if ($null -eq $newCert) { Write-Log "No newer certificate found. Manual intervention required." "ERROR" Send-EmailAlert "SSRS SSL Auto-Rebind FAILED! No newer certificate found!" exit 1 }
Write-Log "New Cert Found!" Write-Log "Subject: $($newCert.Subject)" Write-Log "Thumbprint: $($newCert.Thumbprint)" Write-Log "Expires: $($newCert.NotAfter)"
# Step 5: Unbind old SSL binding Write-Log "Removing existing binding on $ipport..." & netsh http delete sslcert ipport=$ipport Write-Log "Old binding removed (if it existed)."
# Step 6: Bind new SSL certificate $newThumbprint = $newCert.Thumbprint -replace " ", "" Write-Log "Binding new certificate to $ipport with thumbprint $newThumbprint..." & netsh http add sslcert ipport=$ipport certhash=$newThumbprint appid=$appid Write-Log "New binding added!"
# Step 7: Restart SSRS Write-Log "Restarting SSRS service [$ssrsServiceName]..." Restart-Service -Name $ssrsServiceName -Force Write-Log "SSRS restarted successfully."
# Step 8: Verify binding Write-Log "Verifying new SSL binding..." $newBindings = netsh http show sslcert Write-Log "New SSL bindings:`n$newBindings"
# Step 9: Send email alert $summary = @" SSRS SSL Auto-Rebind Completed!
New Certificate Bound: Subject : $($newCert.Subject) Thumbprint : $($newCert.Thumbprint) Expires : $($newCert.NotAfter)
Port Bound : $ipport AppID : $appid
SSRS Service Restarted. "@
Write-Log "Rebind completed successfully!" Send-EmailAlert $summary
Write-Log "========= SSRS SSL Auto-Rebind Script COMPLETE =========" |
✅ What This Script Does:
Task | Description |
Audit | Checks the current SSL binding and finds the AppID |
Detect Expiry | Checks if the current certificate is near expiration |
Search New Cert | Finds the newest valid cert matching the domain (Subject) |
Rebind | Unbinds the old cert, binds the new one to the port |
Restart SSRS | Restarts the SSRS service to apply the change |
Logging | Logs actions to a log file with rotation |
Email Alerts | Sends success/failure notifications via email |
✅ Customizing the Script
- Set $certFriendlyName to match your certificate
Example: "ssrs.yourdomain.com" - SMTP settings: Provide real values for:
- $smtpServer
- $smtpFrom / $smtpTo
- $smtpCredential (optional, secured via Get-Credential)
- Change $ssrsServiceName if using a named instance
Example: "SQL Server Reporting Services (MSSQLSERVER)"
✅ Scheduling It (Automation)
- Save this script as SSRS_SSL_AutoRebind.ps1
- Run it via Task Scheduler:
- Action: powershell.exe -File "C:\Scripts\SSRS_SSL_AutoRebind.ps1"
- Run as: Administrator
- Trigger: Daily, or Weekly
- Condition: Ensure it has access to cert store and SSRS service permissions