looking for some advice on the best way to proceed
currently have CTW running and applying a cert to 1 “sites” (1 domain with 7 sub-domains) on windows server 2008 R2
we are going to migrate to windows server 2025, and move each site/sub-domain over one at a time (each server has its own WAN IP).
What is the correct method to revoke and apply the cert to each site once it’s moved server?
Hi,
You do not have to revoke certificates unless there has been a key compromise, there is no other practical benefit to revocation.
I would suggest you export the cert you currently have and setup your https bindings on the destination server, then manually setup you managed certificates again on the new server.
There is export/import functionality you may be able to use but it requires that you test the migration in advance: Import & Export | Certify The Web Docs - for sites with only a few certs it’s generally easier just to set them up again especially as you site/IIS config may be different on the new server.
we won’t be moving all the sites at once to the new server, does this add an additional complication by exporting and importing?
we have just the 1 cert covering all sites, with 1 siteper week (as an example) moving to the new server
Hi,
Yes for incremental migration I would suggest just manually setting up each managed certificate.
The Import/Export is really aimed at folks with 1000 certs and even then they need to test the migration before they do it in production to prove it gives the results they expect. There are often issues that prevent a clean migration (IIS sites not being the same on the target etc).
ok so at the point we change the DNS for a site, we just apply for a new cert on the new server, we don’t need to disable or remove the cert for that site on the old server?
No you don’t need to disable or remove the old cert. You can optionally export the PFX (Export Certificate task) and manually import it to the new server but as soon as you update DNS it should be fine.
Let’s Encrypt check your authoritative DNS nameservers for records, they don’t use cached DNS settings.