Wildcard cert for 30+ domains on Windows-server, multicert


#1

Hi, I’m trying to find a solution for one of our services (create your own website-website).

Info:

  1. I need to be able to create wildcard certificates for 30+ domains.
  2. They need to be bundled up to one multi-cert.
  3. We are (unfortunatly) using Windows Server 2012, IIS 8.0.

Today I manually create them via PowerShell commands and only for two domains. I use the DNS-method now, used to use the HTTP-method (which seems easier to automate).

I want to automate this, preferably with the HTTP-method. The DNS-method would be tricky, mainly because the domains can have different providers.

Suggestions?


#2

Hi @EricJ

wildcard certificates require dns-01 - validation, so you can’t switch to http-01 - validation. You may use a (static) CNAME

_acme-challenge.domain-of-your-customer.com -> CNAME _acme-challenge.yourowndomain.com

if the dns-provider of yourowndomain supports an api, you can use that. So every customer has only create one static CNAME-entry, you can use a client with a plugin.

Really? One customer can see all your other customers? With Win2012, you can create one website with a lot of bindings, every binding has it’s own certificate.

My own service (Win2012, IIS.8.5), one website:

*.example.com + example.com - http and https bindings -> 
               one certificate without a host name, http redirects to https
www.ownmaindomain.com + ownmaindomain.com - https bindings -> 
               one certificate with a hostname
Some customer domains www + non-www, two bindings -> 
               every domain with it's own certificate

#3

Thank you for your reply!

I guess what we can do to start with is just allowing SSL on domains from our preset lists. The users pick a username and domain (username.domain.com). In our Premium bundle they can add their own domain.

We’ve had problems installing multiple certificates on seperate bindings, Google ended up indexing them on the wrong domains. Content from one site could with a link to another etc. People with more knowledge than me said it’s a limitation in IIS causing this.

Besides, it seems easier just allowing all domain and subdomains instead of having one binding per user (thousands of users) or per domain (especially if they can add their own domain).

But the customers can’t see each other no. But if we only allow SSL on our own domains they don’t have to.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.