Simplify certificate renewal in Azure DevOps

Certificate renewal can be a tedious job, especially when deploying multiple IIS Web applications. The reason for this is because the IIS Web App Manage task in the release pipeline needs the SSL certificate thumbprint to know which certificate to use in the HTTPS binding. Whenever the certificate is renewed, the old thumbprint needs to be replaced by a new one for each deployment/release pipeline.

In this post we’ll see how we can use a Variable group to define the SSL certificate thumbprint once and use it during the deployment step.

Create a variable group

1. Open the Library tab on the left to see a list of existing variable groups for your project.
2. Choose + Variable group to start adding a new variable group.
3. Enter a name and description for the group. Give it the name Thumbprints for example.
4. Enter the name for the certificate thumbprint variable (f.e. MyCertificateThumbprint) and enter the certificate thumbprint in the value field. If you want to encrypt and securely store the value, choose the “lock” icon at the end of the row.
5. Choose Save.

Adding a certificate thumbprint to a variable group

Link the variable group

1. Open the Variables tab of the release pipeline.
2. Choose Variable groups and click the Link variable group button.
3. Select the new variable group Thumbprints and click the Link button.

To link the variable group from a YAML file:

For more information about variable groups, see the Microsoft documentation.

Modify the bindings

1. Edit the release pipeline (when you have more than one already, you’ll have to edit them one by one).
2. Select the IIS Web App Manage task (or the Stage depending on where you can configure the bindings).
3. Configure the binding for HTTPS (port 443).
4. Paste $(MyCertificateThumbprint) in the SSL certificate thumbprint field.
5. Press OK to close the binding dialog.
6. Save the release pipeline.

Use the variable from the variable group as SSL certificate thumbprint

Changing the thumbprint

Whenever the certificate expires, make sure all your deployment targets have the updated certificate. After that, change the thumbprint for the $(MyCertificateThumbprint) variable once in the variable group and it will be automatically applied to every next release.