Hello there,
I’m issuing certificate using ACMESharp on Windows Server 2012 with IIS 8.
Two questions:
I just renewed a certificate, and I had to create a brand new identifier because the old one’s authorization was expired. This was strange, because I just created this certificate 3 months ago. I authorized the old (and the new) certificate using the manual DNS-01 challenge, but I immediately deleted that TXT record after the certificate was installed. Do I have to keep that TXT record up? Would that be why the identifier was de-authorized so fast?
The certificate PFX file - is there any reason to keep it in the folder it was exported to after it’s been imported into IIS and the computer’s certificate store?
For 1), you will need to authorize every time you renew. Even if you leave the TXT record in your domain’s zone, a different challenge will be requested next time you renew.
For 2), I don’t see any compelling reason either way. That’s really a personal implementation decision as far as I can tell.
That’s not necessarily what I’m saying, but it depends. First, note that I’m not well-versed with the capabilities of ACMESharp, so some of this may not apply to that client.
The DNS challenge type is the most difficult to handle automatically, because it requires both a DNS provider who allows scripted updates via some API, and also a client that can integrate with that API. Usually DNS challenges are used as a fallback when other challenge types are not an option. Is there a reason you’re unable to use HTTP challenges? This is easier to handle automatically as it only requires placing a specific file in the .well-known/acme-challenge directory. Is that a possibility for you? I would be very surprised if ACMESharp didn’t support that.