Best way to use Certify with Central Certificate Store


#1

Hi there, thanks for all what you’re doing for us with this amazing tool !

I’m wondering how I could manage 100+ wildcard bound domain names to a single IIS site with Certify.

The only way I found right now is to export the generated certificate from IIS and reimport it in the CCS… not fairly easy.

I wondered if I could use IIS basic bindings parameters (force SNI + Use Certificate Store) to tell Certify to bind the certificate to the CCS, but no .pfx found here although it reports correct installation.

Am I going in the wrong direction ? Shoud I use post request scripts or webhook triggers ?

Thanks in advance,

Greg.


#2

Hi Greg,

The app doesn’t currently support central certificate store bindings directly but yes a Post Request powershell script would let you perform actions on the resulting PFX file (including importing it into the central store with the correct name etc). I assume you’re use the central store because other servers share the same certificate?

In this situation you would need to administer your binding yourself rather than have certify set them up for you, and once setup they would point to the central certs (which your script is updating after renewal).


#3

Hi, thanks for answering,

True, I have 3 servers, but I thought win server 2016 allowed wildcard binding on port 443 using SNI and a cert store (like I’m currently doing without certs…)

Do you (or could you) have plans to implement such a functionality ? Perhaps not the right place to discuss that point…

I’ll try different options and let you know on this thread.

Thanks, have a nice day,

Grégoire


#4

Hi, the trick with load-balanced/multi-server certificates is how will validation be performed.

If using DNS validation then any server can conduct the renewal, if using http validation then all servers need to be able answer the same http challenge, so it depends what you need to do.

Deployment of the resulting certificate is likely best done with scripting. We are looking at how to synchronize deployment across multiple servers/services (without using a central store i.e. if you needed to also deploy to non-microsoft servers) but it’s likely some way away.


#5

A new issue has been raised to track development of CCS support: https://github.com/webprofusion/certify/issues/324