Sure looking forward to seeing what your final solution is so please keep us updated
If it’s too tricky to setup IIS with individual certificates, it would be quite easy to setup nginx as a reverse proxy and terminate the https connections there.
In my opinion, putting 100 domains in a cert is a really bad idea. Not only will the client see all of those domains in the cert, but the cert size will increase per domain. Lastly, you mentioned the domains will “come in and out every few weeks”, this sounds like a maintenance nightmare.
This seems like a very straightforward need. What’s the actual problem? Can IIS not handle multiple SSL certificates?
I recommend the suggestion from @brianlund. Maybe you could eventually ditch the windows server altogether.
Although true, the increase is almost negligible by comparison to key size or key type.
I found that an average RSA/4096 public cert only increases about 26 bytes per added domain.
While an average ECDSA/384 public cert only increases by 4.5 bytes per added domain.
So, if you are really concerned about the public cert size, you may want to consider using ECDSA certs.
As an ECDSA/384 cert with 100 domains will still be ~143 bytes smaller than an RSA/4096 cert for a single domain.
~3629 vs ~3772 bytes.
Thanks for the further replies. The software is all written on the .net framework, so the core hosting needs to be IIS, although it may be possible to have a layer in front.
@acicali IIS allows you to have multiple sites, but each site is only allowed 1 certificate (Unless you use centralised certificates where it reads from a directory via a naming convention). My current engine runs on a single site so I’m a little stuck there.
As it runs on Azure, it is run a bit like a web farm so I’m currently looking into attaching a shared drive to each of my virtual machines and adding the SSL certificates in there and having IIS run via centralised certificates.
I would then need to try and run a process which generates the new certificates and stores them in the shared folder. There’s going to be a few hurdles to jump through and if any of them causes a block I’ll need another solution, but it will be good if I can get it all working!
Estou acompanhando!!! [Translation: I’m following!!!]
You can install multiple certificates on a single IIS Web site as long as you’re using a fairly recent version of IIS that supports SNI. You simply have to provide multiple hostnames in the SSL binding (i.e. like host headers).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.