ok well we’re kinda stuck on IIS 7.5 for the time being, so i’m guessing that will restrict the options.
i am pushing on moving to server 2012 or 2016 but that won’t be for some time.
my thoughts are that the preferrable option for now would be one cert with all names - simply because it will be easier to maintain (i’m assuming). but i’m willing to be advised by the more knowledgeable.
That does avoid the need for SNI support and it is supported by Let’s Encrypt. The biggest problem is simply that it’s inconvenient if you have to make very frequent changes to the certificate, because you’ll potentially have to revalidate all of the covered domain names and you can more easily hit the Certificates Per Registered Domain limit in this situation.
A handful of people also don’t like the idea that the certificate directly shows which sites are served by the same infrastructure (although it’s not as though this information would otherwise be strictly secret, or as though many users routinely look at this information).
Let’s Encrypt will allow you to cover up to 100 names on a single SNI certificate.
unfortunately we only have a single external IP address for the server.
in terms of whether it would be One cert per name, once cert with all names, several certs with several names on each, etc. i am open to being advised on the best solution for the situation we are in (providing the renewal of the certs can be automatic rather than a manual user process).
With only one external IP, you will not be able to use the IIS (7.5) server for SNI.
Regardless of how many certs you decide to get.
The only possible interim alternative would be to use a proxy between the Internet and your IIS server.
As it would be able to do SNI and terminate the inbound SSL connections and even obtain/maintain the certificates for all your sites.
I would recommend NGINX on Ubuntu - but there are many other choices/combinations.
Of course once you have upgraded to Server 2012(or higher) you could remove the inline proxy.
you should test it. I had used Win 2008, but only with one domain and one certificate. Win 2012 adds a "SNI-Support-checkbox". But I think, that Win 2008 has an option to define more then one binding of a website with different hostnames.
So you should test if you can add a certificate per binding. This is not SNI, but perhaps IIS uses the binding-information to find the correct website, binding and certificate.
Website wwww.mydomain.com with one certificate with two names and two bindings.
Website yourdomain.com with one wildcard-certificate *.yourdomain.com (dns-01 as challenge required)
You can also run NGINX (or Apache) on same Windows Server - as a proxy.
And forward all incoming connections to the Proxy (which uses SNI) and have it connect to IIS via multiple internal sites each on a unique internal IP.