I have a dedicated Jenkins installation on a Windows Server 2012 R2
server with a Common Name of VRTJENKINS01 in the Active Directory
domain acme.example and is reachable by the Fully Qualified Domain
Additionally Jenkins runs on port 8080 and already listens to 127.0.0.1
instead of 0.0.0.0 and the server has additional DNS names: jenkins and
I want to have an IIS installation which acts as a TLS/SSL terminating
In combination with our in-house Active Directory Certificate Services
(ADCS, Microsoft’s Certificate Authority software) this should make
certificate management a lot easier since Windows can be configured to
automatically renew certificates, and the IIS 8.5+ Certificate Rebind
feature can listen to renewal events (which contain the fingerprints of
both the old and new certificate) and update the relevant bind(s) to use
the fresh certificate.
This would ensure that after the initial manual request it would only be
necessary to manually change TLS/SSL related settings when the set of
Alternate Subject Names on the certificate IIS presents should change.
IIS will only have to act as 1) a reverse proxy for Jenkins 2) redirect
non-canonical URLs to the canonical URL: https://jenkins.acme.example/
I have installed the IIS (8.5) role using the Add Roles and Features
Wizard with the all the default and also the following non-default
HTTP Redirection (Under Common HTTP Features, to
redirect \http(s)://jenkins/, etc. to
WebSocket Protocol (Under Application Development, because I felt
Then I installed URL Rewrite and Application Request Routing.