We use a wildcard certificate for all of our internal Dev, QA, Validation, and Production websites and APIs. For our network staff, it's a pain because they have a lot of servers to update when certificates expire. For us developers and for business staff, it's a pain because of expired certificate warnings if the network guys forget or are running late.
Imagine this happening on a three-month cycle instead of yearly.
All the servers in question already have Azure DevOps release agents on them. I'm wondering if we could simply run some kind of a release pipeline in Azure DevOps to update the certificate on each server.
Just to clarify, I'm not referring to site bindings that can be included with a website or API deployment. I'm referring to the installation of a new certificate itself onto a server.
It might be a cop-out, but if you can make it work in Powershell, you can almost certainly make it work in Azure DevOps Release pipelines. Here's a primer on what that Release powershell script could look like, assuming you can get the cert file onto the machine somehow:
https://lachlanbarclay.net/2022/01/updating-iis-certificates-with-powershell
The first way that comes to mind is to have your release pipeline "get" the cert somehow, assuming your servers have fileshare access to the place the cert is stored, or could make a request out to there somehow.
The second (and probably correct) way would be to incorporate Azure Key Vault, and add that as a powershell step (see How to install an Azure Key Vault certificate in an Azure DevOps pipeline?) for an example on that.
Finally, if neither of those worked, you could run some sort of batch powershell ahead of time using some of the methods in How to copy a file to over 50 remote computers to copy the file to all the remote servers.