Manual SAN Certificate Creating on Windows?


#1

I have been able to manually generate certificates and have them installed and working but I had to generate one for the main domain (boxstorm.com) and one for (app.boxstorm.com) and then configure them as separate server blocks in the nginx.conf file, each server with its own certificate/key entries. What I’d really like is to create a SAN cert so that we can just use one certificate. Is that doable on Windows or with the client listed below? Or is there some step after the .cer and .pfx file creation that I can used to combine certificates together in the a SAN certificate? Thanks!

My domain is: boxstorm.com

I ran this command: We used one of the Windows clients listed on letsencrypt’s site (https://github.com/oocx/acme.net) – just downloaded the acme.exe and used that to generate the certs.

The command line was: acme.exe -a boxstorm.com -m mailto:support@boxstorm.com -d boxstorm.com app.boxstorm.com -c manual-http-01 -i manual

It produced this output: The client generate two different “challenge” files, which I copied onto our webserver, in the correct “.well-known…” location. The challenge completed successfully and two .cer files and two .pfx files were generated. After the .pfx was generated I used openssl to extract the .pem and .key file–these were the files used in the nginx.conf to configure https.

My operating system is (include version): Windows server 2012, .NET framework v 4.6

My web server is (include version): nginx 1.4.7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

The client you’re using does not seem to support SAN certificates, but that’s not a Windows limitation - other clients provide this feature.

One option would be ACMESharp. It seems to tick all the boxes - there’s support for solving the HTTP-01 challenge manually, exporting the files to a format nginx understands and it supports SAN certificates.

Combining the certificates after the fact is not possible. The certificates are digitally signed, and changing them in any way would invalidate that signature.


#3

Hi Paul,

We haven’t tested the oocx client - the reason for this is that it’s available only as a pre-release package, which doesn’t inspire much confidence.

IMHO, the mature windows clients at that point are:

  1. Letsencrypt-win-simple
  2. ACMESharp PowerShell module

We’ve already published a video about the first client (you can check it out here ), and you can use the client to request a SAN certs as well. The client is easy to use, but when creating SAN certs, you need to use manual mode and installing the certificate is a bit tricky. Step 3 in the video will demonstrate this process.

Personally, I prefer the ACME POSH module when requesting and installing multiple domain (SAN)
certificates; as a matter of fact, it is based as well on the ACME Sharp library written by Eugene Becker - the author of ACME Sharp POSH. It allows to fully automate the process, and we demonstrate this on Exchange 2016 (the screencast is in post production).

Bottom line is, if you need an easy way to install Let’s Encrypt single domain certs on windows, use Letsencrypt-win-simple. If you need multiple domain certs, use the ACME Sharp PowerShell module.

I hope you find this post helpful.

Regards,

Dean


#4

@pfg and @NetoMeter, thanks so much for the help and suggestions – ACMESharp worked like a charm!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.