P1 · PKI & Certificate Management

Expired SSL/TLS Certificate Causing Service Outage — IIS, RDS, Exchange or ADFS

An SSL/TLS certificate has passed its NotAfter date causing browsers to block access, RDS clients to refuse connection, Exchange to stop processing mail, or ADFS federation to fail. Emergency path is renew, import to machine store, and rebind to the affected service.

Indicators

Browser shows 'Your connection is not private' / NET::ERR_CERT_DATE_INVALID
RDS Gateway users cannot authenticate or receive certificate warning at login
Exchange OWA/Outlook Anywhere stops functioning with certificate errors in logs
ADFS/WAP returning certificate validation errors to relying party applications

Likely causes

Certificate reached NotAfter date with no auto-renewal or alerting in place
Auto-renewal failed silently — ACME client error, Let's Encrypt rate limit, or DNS validation failure
Certificate renewed but not bound to IIS site, RDS role, or Exchange service
Wildcard certificate renewed on one server but not deployed to all dependent services

Diagnostic steps

Confirm expiry: openssl s_client -connect hostname:443 2>/dev/null | openssl x509 -noout -dates; or PowerShell: Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.NotAfter -lt (Get-Date).AddDays(30)}
Identify all services using the expired cert: IIS bindings, RDS deployment properties, Exchange certificate assignments, ADFS token-signing/decrypting certs
Obtain replacement certificate from CA (commercial CA, internal AD CS, or Let's Encrypt) — ensure all SANs match previous certificate
IIS: Import PFX to certlm.msc (Local Machine > Personal); IIS Manager > Site > Bindings > edit HTTPS binding > select new certificate
Exchange: Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path cert.pfx -Encoding byte -ReadCount 0)) -Password (ConvertTo-SecureString -String 'pass' -AsPlainText -Force); then Enable-ExchangeCertificate -Thumbprint <new> -Services SMTP,IIS,POP,IMAP
RDS: Server Manager > Remote Desktop Services > Deployment Properties > Certificates — reassign per role (Gateway, Broker, Web Access, Licensing)

Resolution path

Identify which service is presenting the expired certificate
Obtain replacement certificate with identical SANs from CA
Import PFX to Windows machine certificate store
Rebind to all affected services: IIS, Exchange, RDS, ADFS

Prevention

Implement certificate expiry monitoring with alerts at 90, 30 and 7 days
Use AD CS auto-enrollment for internal certificates on domain-joined systems
Use ACME/Let's Encrypt with verified auto-renewal for public-facing services
Maintain a certificate inventory spreadsheet with owner, SAN list and renewal date

Tools

certlm.msc / MMC Certificate snap-in
IIS Manager
Exchange Management Shell
Remote Desktop Services Deployment Properties
openssl s_client
Let's Encrypt / Certbot / ACME.sh
DigiCert Certificate Utility

ssltlscertificateexpirediisexchangerdsadfspkirenewal