SSL certificate renewal automation
Keep your UserLock SSO connection secure by automating the renewal of its SSL certificate using Let’s Encrypt and Certify The Web.
The SSL certificate is a mandatory component of the UserLock Single Sign-On (SSO) configuration. It secures communication between SaaS applications and the UserLock SSO service, ensuring the authenticity and confidentiality of user logins.
Administrators can use any valid SSL certificate, whether issued by a commercial Certificate Authority (CA) or a free provider such as Let’s Encrypt.
However, Let’s Encrypt certificates expire every 90 days — requiring periodic renewal to maintain uninterrupted access.
This guide explains how to automate the renewal and re-binding of the SSL certificate used by UserLock SSO, using the tool Certify The Web.
Manually renewing and binding SSL certificates can quickly become error-prone and time-consuming.
Automating this task ensures:
Continuous service availability — no risk of SSO outage due to an expired certificate.
Strong security — renewed certificates are always up to date and trusted by modern browsers.
Reduced administrative effort — once configured, the process is fully autonomous.
Install Certify The Web
Download and install Certify Certificate Manager from https://certifytheweb.com.
Request a Let’s Encrypt certificate
Follow the official documentation to request a certificate for your SSO hostname (for example
sso.mydomain.com).
Select the proper deployment mode
At the Deployment step, choose Certificate Store Only.
This ensures that the certificate is stored in the Windows certificate store, where it can later be used by UserLock SSO.
Add a post-renewal task
At the Tasks step:Add a new task → Run PowerShell Script
Name it (e.g. UserLock SSO Binding)
Set the trigger to Run On Success
Create the PowerShell script
Create a file named
UserLockSSOBinding.ps1in a folder accessible from any account, for example:C:\ProgramData\ISDecisions\UserLock\SSO\CertifyTheWeb\Copy and paste the following code into the file.
Update the
$hostnameand$portvariables according to your SSO configuration.Save the file.
Param($result) # Use your UserLock SSO hostname and port as defined in the UserLock Console $hostname = "sso.mydomain.com" $port = 444 # Always useful to log $logFile = "UserLockSSOBindingScript.log" Start-Transcript $logFile Write-Host "$(Get-Date) - Starting Post Certificate Generation Deployment Task" # Check whether the generation was OK Write-Host "$(Get-Date) - Certificate Generated: $($result.IsSuccess)" if (!$result.IsSuccess) { Write-Host "$(Get-Date) - Certification generation failed => Exiting" exit } # Get the certificate thumbprint $cert = $($result.ManagedItem.CertificateThumbprintHash) Write-Host "$(Get-Date) - Certificate Thumbrint: $($cert)" # Create a random Guid that will be used with netsh command $guid = [guid]::NewGuid().ToString("B") # Remove previous binding Write-Host "$(Get-Date) - Removing binding for $($hostname):$port" netsh http delete sslcert hostnameport=$($hostname):$port # Create new binding Write-Host "$(Get-Date) - Binding certificate $($cert) to $($hostname) with appId $($guid)" netsh http add sslcert hostnameport="$($hostname):$($port)" certhash=$cert certstorename=MY appid="$($guid)" # Stop the logging Stop-Transcript
Link the script in Certify The Web
In the Task Parameters tab, specify the full path of the PowerShell script in Program/Script, then click OK and Save.
Generate the first certificate and test
Save the configuration in Certify The Web, then generate the first certificate manually.
If issues occur, check the log file.
Visit your UserLock SSO address in a browser (
https://sso.mydomain.com:444) and verify that the new certificate is valid and issued by Let’s Encrypt.