Multiple unknown domains with one ip and server


#1

Hi,
What is the best solution for me?
I have windows server, websites on iis 8
Multiple unknown domains are pointing to one website.
How can i create ssl certificate for each domain?
Is it better to create certificate for each domain or san certificate for all?


#2

If you don’t know what the domains are, I don’t think you can.

That’s really up to you. I’d lean toward a single SAN cert unless the domains were changing frequently.


#3

IIS has a feature called the Central SSL Store that lets you use different certificates even where multiple websites are only pointing to one “Web Site” in IIS:

win-acme (formely known as letsencrypt-win-simple) can set this up mostly automatically for you:

Multi-domain (SAN) Certificates

Our issuance policy allows for up to 100 names per certificate. Whether you use a separate certificate for every hostname, or group together many hostnames on a small number of certificates, is up to you.

Using separate certificates per hostname means fewer moving parts are required to logically add and remove domains as they are provisioned and retired. Separate certificates also minimize certificate size, which can speed up HTTPS handshakes on low-bandwidth networks.

On the other hand, using large certificates with many hostnames allows you to manage fewer certificates overall. If you need to support older clients like Windows XP that do not support TLS Server Name Indication (SNI), you’ll need a unique IP address for every certificate, so putting more names on each certificate reduces the number of IP addresses you’ll need.

For most deployments both choices offer the same security.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.