How to renew port 5986 (WinRM) certificate?

Question

We received an email saying our port 5986 (WinRM?) certificates are set to expire soon and we should take action to avoid interruption.

The way i configured WinRM for TFS communication last year was like this:

1. Download from GitHub this PowerShell script 
2. execute the following in the PowerShell console with Administrative permissions: ConfigureWinRM.ps1 {FQDN} https

example: ConfigureWinRM.ps1 server.tst.com https

Do i just have to rerun this again to renew? Do i need to remove the old certificate thumbprint first?

Apparently, there was a bug 4 years ago that it appears that WinRM somehow does note that the certificate has been renewed, because it continues to accept WinRM connections over HTTPS with no issues, even after the certificate referenced under WSman\Listener has expired.

i dont want conflicts to occur so i want to renew this safely, especially when we get the same notification for production.

---

Note: some useful commands used in that git bug report to compare replaced cert Thumbprint:

ls cert:\localmachine\my
ls wsman:\localhost\listener\listener_1305953032
Winrm enumerate winrm/config/listener
netsh http show sslcert ipport=0.0.0.0:5986

Answer 1

I just had to rerun the same steps again (skip step1 if script is still there from last time)

1. Download from GitHub this PowerShell script 
2. execute the following in the PowerShell console with Administrative permissions:

ConfigureWinRM.ps1 servername https

Looks like the bug is not present on PSVersion 5.1.14393.3471

I ran the commands above listed in the Note and the new Thumbprint was getting displayed for all 4 of them.

restart wasnt required