[tokenizerrr]

> third party script with local admin rights

Why? Just have it drop the certs in some directory and then reload the services. Just give the account running the script permissions to only reload services.

I assume such is possible on Windows, but I don't know for sure because I only use Linux servers. It is trivial there, so I assume you can do it on Windows as well.

[Jaruzel]

It's not unfortunately - Certs are held in the Computer partition of the Windows Credential Store, which you need elevated rights to update. It sucks, but that's how it's designed. You also need to re-associate the renewed cert (once its in the credential store) with the IIS binding as well, and then you can stop/start the website instance. Again also needing elevated rights.