Copy cert to replicated servers


#1

When we previously did wildcard certs, we could export them and move them to another server because we do load balancing. What can this be accomplished with Certify the Web’s setup? Is there directions, or do we need to setup new certificates for every machine.


#2

If you are using the automated DNS apis as part of your wildcard request it’s possible to just install and configure the app on every server in the farm, however the other options are:

  • Use a post-request script to copy the certificate pfx file. You can then install this as required manually or using a script to update the appropriate website bindings
  • Use a post-request script to copy the certificate to a Centralised Certificate Store - this is slightly tricky because there are naming rules for the certificate which you must match in order for the server to find the correct certificate, you can create multiple copies of the certificate as required depending ont he type of certificate you have created (https://blogs.msdn.microsoft.com/kaushal/2012/10/11/central-certificate-store-ccs-with-iis-8-windows-server-2012/)

Direct support for CCS is planned but will likely be some time next year.


#3

When I do that would that mean it will create new TXT entries for every single site? I have 12 subdomains as a wildcard. I would have to install the app, and configure a NEW certificate right? So there is no sharing of anything.


#4

That’s correct, the servers doing their own renewals would not be sharing any config.
Worth trying it out with one site to see if it suits you as a way of working.

These would also count as renewals of the same certificate which counts against your let’s encrypt rate limits. Work to share config like account id’s etc is likely to happen next year.


#5

Tried it on two servers and I believe this will work.