I’m brand new to Let’s Encrypt/Certify the Web just for some background.
I need to create a cert that will point to the default website on an IIS server in our windows domain. The cert will only be used internally, the website will not be available over the internet. The cert also needs to have the hostname of the IIS server as a subject alternative name. I’m planning on creating the cert using the Cloudflare DNS API.
I’ll want to be able to have people internally go to service.domain.com and connect to the website, I assume this will be done with an internal DNS record.
I’ve looked at some guides but can’t find one that matches my situation. Does anyone know how I would create a cert that would do this? Do I just add our domain (xyz.com) as the primary domain and add the server hostname (servername.domain.local) as another domain on the certificate tab? Do I need to add the primary domain as a wildcard (*.xyz.com) so people can go to service.domain.com internally?
By way of an answer here I’ve copied my response from your support ticket below:
Getting your site to be available at a specific domain/subdomain name:
Your internal (or public) DNS will be used to tell other machines etc that service.domain.com points to the IP address of a specific server or VM.
For certificate validation using DNS to work, your domain.com hosted with cloudflare needs to be a real working public domain so it can be validated by a public Certificate Authority (Let’s Encrypt), but service.domain.com doesn’t have to exist yet and doesn’t have to point to a public IP or be a public service, because you are using DNS validation instead of HTTP validation…
In IIS you should have a hostname binding set under your site using Site > Bindings > edit your http binding and set the hostname to match the name you want to give it, like service.domain.com. Your site can have multiple bindings for multiple names if you want. These are used next to match up your site name with your certificate.
Then get and apply your certificate to the site usingCertify Certificate Manager:
click New Certificate, Select your IIS site, the app will read the domains from the bindings and add them to be included on the certificate. You can add a wildcard, but you don’t need to. You only need to include the names you want to use when users use your service, so for instance you don’t need to add domain.com if your service is only used as service.domain.com.
on the Authorization tab, set the challenge type to dns-01, select Cloudflare and add/select cloudflare API credentials to use (Cloudflare DNS | Certify The Web Docs)
then select the correct DNS zone from the dropdown list, this will query cloudflare using your credentials.
save your settings and click Test, this will create some test DNS TXT records using Cloudflare. If that works ok you can click Request Certificate to order a certificate, once completed the app will scan IIS for sites that match the names included on the cert and add/updated the https bindings.
From there you can access your sites as https://service.domain.com and the certificate will also be automatically renewed when the cert reaches 75% of it’s lifetime (configurable under Settings).