Hey, is it possible to do this, choosing which challenge I want to use? I am looking to test this out tommorow so I was just curious, is possible to transfer everything using CSV import so new domains and certs?
Basically, I am trying to transfer 100 domains and certs to different IIS
Hi, you can use the CSV import for HTTP challenges but not for DNS challenges as they are simply too complex.
To import a large batch of sites with DNS challenges you need to use the JSON template option: Command Line (CLI) | Certify The Web Docs that mainly involves preparing a json template based on an existing managed certificate, which require you to list the existing managed certs as json, then extract one for your template.
Note also that the unlicensed Community Edition does not support batch imports, because it has a limit of a few managed certificates per install, so this feature only works on a licensed version, which you may or may not have already.
Thank you a lot for that information, so hypothetically If I want to move 100 certs to new machines, what would you recommend in that case? The least painful thing to do, there are wild certs too. Thank you 
also, if I move those certs, and request new cert with certify will old one just revoke automatically or it’s only revoking when I do it manually?
Are these certs that are already managed by Certify Certificate Manager? If so there is the Import/Export option: Import & Export | Certify The Web Docs
If they are managed by something else, then are they all domains with the same DNS provider credentials?
You do not need to revoke certificates unless the private key is compromised (someone else knows it). The CA will let you create a new certificate on a different machine, it’s only if you create many duplicates that you will start to experience CA rate limits, and there is always the option of using different CAs.
In general whichever method you choose you will need to practise the migration as you will inevitably find various issues along the way moving sites from one server to another.
If they are all different websites we would normally suggest moving them in batches, e.g. 10 at a time and in that case even manually recreating the managed certificates would only take 20 minutes or so for each batch.
1 Like
Let’s say that they were not managed by Certify but they are all domains with the same DNS provider, what would be solution then?
About revocation (i know i don’t need), the question was more like, will it automatically revoke since I’m moving it?
Thank you for your answer, I am really grateful
That’s fine if they’re not managed by Certify (they might be win-acme or something else) but it will depend who your DNS provider is as to how easily you can bulk import configuration, some providers use ZoneIDs (one per DNS zone) and some don’t.
For that ones that do use a Zone ID (you’ll know by configuring a test cert in the app) you’ll need to find the zone id for each domain.
Regarding revokes, no nothing is automatically revoked and you don’t need to do that, there is normally no benefit (the CA won’t give you extra certificate allowances just because you’ve revoked your previous cert etc).
One last question, is import/export free on certify the web? We are thinking of paying anyway but i’m curious if we can test export/import before
@kux sorry it’s not enabled in the community edition. If you purchase a license key then decide (within a month or two) it’s not going to work for you just contact support {at} certifytheweb.com and we can refund.
1 Like
Hey Christopher, back on this.
I will use http-01 challenge on all of the sites, I have around 100ish sites and certs.
The questions I have:
What do you think is the best way to get all of the certs generated and sites created?
I don’t want to have to open and close port 80 all the time. Is it even possible to get let’s encrypt certs without opening port 80? or maybe opening it one centralized site/URL rewrite and then redirect all other sites to 443? I know It might be not your area of work and I will understand if you don’t have an answer for it.
I don’t have any wild certs to create. I am using only http-01 challenge, for DNS, I have to talk to other clients when it comes to that, so maybe doing it in bulks ?
Yeah, I am all over atm, so if you give me some directions would be great.
Digression, but I remembered it, how is it possible that sometimes I could generate certificate, even if I completely remove the site itself from let’s say noip hostname and iis? @webprofusion
You can generate a certificate for any domain if you have control of that domain’s DNS (use a DNS challenge instead of http).
If you want to use http challenges to validate your domain you have to be able to provide the http challenge response which is an http request to http://<yourdomain>/.well-known/acme-challenge. Most systems do this either by writing the challenge response file to the filesystem of the website, or by running their own http service to provide the response.
I don’t want to have to open and close port 80 all the time. Is it even possible to get let’s encrypt certs without opening port 80?
The only other viable alternative is DNS challenges. Regarding opening and closing TCP port 80, if you want to use HTTP domain validation you need TCP port 80 traffic to reach your server so I would suggest just keeping port 80 open but don’t provide an HTTP binding (so in IIS, no http bindings on TCP port 80).
That way http requests will normally fail but HTTP challenge response will be dynamically provide by the built in http challenge response service in the app.
If you have a security policy that TCP port 80 is not allowed you can consider an application firewall which allows all /.well-known/acme-challenge http requests but block everything else. If you cannot have HTTP at all then you just can’t use HTTP domain validation and you must switch to DNS based domain validation.
Pre/post request firewall changes are prone to long term failure as windows firewall in particular can sometimes require a reboot to behave.