Best Way to Generate an Exportable Wild Card Cert


#1

My domain is: bobstaco.com (real domain name but used for training purposes only)

My web server is (include version): VMware ESXi v6.7

The operating system my web server runs on is (include version): ESXi 6.7

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, ESXi 6.7

Question: (Thanks for your help)
I teach IT at a community college and currently working with students to generate SSL certificates that they can assign to their Internet accessible VMware ESXi servers, for web based administration. We’ve come to the conclusion that ESXi servers are unable to easily request their own certificates from LE. “Plan-B” is to generate a wildcard cert for the domain *.bobstaco.com from another platform and export/import the certificates to each ESXi server (I.e. esxi01.bobstaco.com to esxi19.bobstaco.com)

Help Needed:
What is the best platform (Linux, Windows, etc) to use to generate a wildcard cert that I can easily export? And, are there any tutorials that I can reference or follow that would guide me?

I’ve researched this and done some testing using Win-Acme with IIS. Not sure this is the best way to go. Did not see the option for generating a wildcard cert. Is there a preferred or better platform?

Thank You for Your Help, I appreciate your time!
Randy Graves
North Idaho College


#2

Hi,

Wildcard certificate are issued by DNS-01 challenges w/ APIv2 only. Win-acme does not support apiv2 yet…

From what I know, I would say the Windows certify the web is the “easiest” way to generate a training purpose wildcard certificate. (May not be feasible to use in production because it have a limit on how many certificate you could manage / generate in free version, although the paid version is not that expensive)

In certify the web, you could use a UI instead of command line… and the certificate / key is stored in a pfx file. The only down side (in my opinion) for a training purpose certificate is you’ll need to spilt the pfx file into certificate and private key… (which could be archieve by running OpenSSL)

Beside the certify the web, almost all software I tried requires more command line operations, but the bright side is, they (at least in Linux) usually store certificate and key as pem file.

However, please note that all the acme softwares (which support the generation of wildcard certificate) would need to use DNS validation, and if your DNS provider does not have an API or the ACME-software does not intergrate your DNS provider yet, you still need to manually enter those txt records generated to your DNS provider.

Thank you


#3

Steven,

Thank You! This is very helpful information and I appreciate your time and prompt reply (Thank You).

Did a quick look at “Certify the Web” and will take a much closer look. Looks promising!

Another site I have been working with that serves as a front-end to LE is https://www.sslforfree.com/ . I generated a wildcard certificate with it and it also looks very promising.

Again Thanks! I’m excited to share this information with students.

Randy Graves


#4

For security’s sake, I would recommend that you use a new completely unused domain (a few extra dollars per year to maintain) or a clearly insignificant subdomain of a domain you do use (zero extra dollars per year).
*.common.zone.bobstaco.com
In short, don’t hand out wild card certs for a domain that you actually care about.

I would actually recommend against a shared cert altogether.
I think It may be worth the exercise to setup a web system to generate/maintain individual certs and only provide access to them from secure internal networks.
YMMV - minimum requirements:
Internet accessible system [for http certificate issuance validations only]
Web system capable of handling SNI [ IIS8+, Apache2.2.12+, NGINX 0.53+, others ]