New User Questions

I’m starting to investigate the possibility of migrating the SSL certificates for my company to Let’s Encrypt certs. I have a personal “pet project” for which I have a website set up that I’ve been using to test out the Certify application, and it seems to work great for creating and deploying a wildcard certificate for my IIS and FileZilla FTP servers on that box (I just added a couple of “On Success” tasks to export the certificate and private key files to a local directory then restart the FileZilla service).

Now I’m considering the implementation for my “day job” production environment but, of course, things are a bit more complicated there. I have a total of four certificates that will need to be managed, and they are only for subdomains (the “main” domain certificate is managed/handled by a 3rd-party hosting provider):

  • Client portal IIS website (client.example.com) - On SERVER1
  • WS_FTP FTPS/SFTP server (ftp.example.com) - On SERVER1
  • Remote Desktop Gateway (rd.example.com) - On SERVER2
  • SonicWall TZ400 firewall (fw.example.com) - standalone appliance

I see in the Certify application’s UI that it apparently has the capability to automatically deploy to a Remote Desktop Gateway as a Deployment Task, so that has me somewhat excited. I’m just a little disappointed that it seems I’m going to need to purchase the Professional license to actually keep the renewal and deployment of these four certs automated since that service is running on a separate server than the IIS service. Also, unless I’ve overlooked something, the SonicWall and WS_FTP servers are still going to require a little manual intervention to actually deploy the certificates which, while I’m certain will still be easier than going through the entire process manually, leaves me with plenty of room for error with the frequency of the renewals.

I guess my “New User Questions” at this point are more in the line of asking for confirmation on my understanding of how to deploy the Certify application as I’ve outlined above:

  1. Is there any way around the “limitations” I mentioned above for the SonicWall firewall (TZ400 on SonicOS 6.5) and WS_FTP? That is, is anything currently in development to help automate deployment to either or both of these systems? I read the Scripting to SonicWall Firewall post here in the community which discusses the possibility of using the SonicOS API, but there hasn’t been much activity there since that option was brought up. A way to automate the WS_FTP deployment as well would just make my entire decade. :stuck_out_tongue_winking_eye:
  2. Do I understand the licensing correctly in that I will need to get the Professional license to manage just four certificates (or 2x the Starter license)? I mean, I love the product and I’m more than willing to pay for a license because I know that it’s absolutely worth the investment and the price definitely seems reasonable to me, the IT Department. I just also know that I may find it difficult to extract the ~$100USD price tag (actually about $67/year to keep an ongoing Professional license) from those who hold the purse strings when they could spend less by purchasing the individual paid certs.

I have some other questions more to do with recommendations and/or best-practice type of stuff, but I can ask those in a different thread. Thank you all for this truly fantastic product.

Hi,

Licensing
So the free community edition will currently manage up to 10 different certificates (I’d expect this will be reduce to 5 managed certificates at some point in the future), that said we do expect businesses to pay to use Certify The Web once they have finished their evaluation. If you need to email us via the support helpdesk etc that service only for paying customers (or evaluations).

Licensing tiers are based on the number of servers (e.g. installs), not the number of certificates. Let me know if there is something on our website that has confusing wording. Theoretically one install can manage unlimited numbers of certificates.

You and I both cost money per hour to do our jobs, so your post above (if done on work time) would have cost roughly half the price of a license key (depending on what you get paid). We price at roughly half of what we think it would cost for an organisation to pay their team to sit down and have a single meeting about using our product. It costs at least the price of a Starter edition license key for me to write this reply :), as with anything there is a cost/benefit to consider, so if it’s clearly worth it to you but not to the person controlling purchasing then that’s a discussion for you to have with them. Purchasing is always a pain, and justification is a hassle, I don’t really have a solution there.

Regarding pricing, starter edition assumes a small organisation (1 install), professional assumes a slightly larger team (up to 3 installs), power pro (up to 25 installs) assumes you have a pretty large team and enterprise assumes it will cost more for you to evaluate, have meetings, raise the purchase approvals and process it than the actual money that changes hands (it should probably cost 10x more than it currently does).

There are great free command line tools such as certbot, win-acme and Posh-ACME which can be used to achieve the same result as our software (with scripting), they just lack things like an official support channel, the management UI and breadth of features. They are also mostly built/supported by hobbyists (or even have no support) rather than being commercial products, which may or may not be relevant to your organization. We also provide services like Certify DNS (cloud based DNS validation delegation) and the certifytheweb.com reporting dashboard.

Solutions
On the topic of how you can achieve this particular deployment, you have 3 deployment targets, all of which could in theory be managed from one install by using DNS validation to acquire the certificates and using your own scripts to deploy to some of the destinations.

Once you have acquired a certificate using Certify The Web it’s a PFX file, some services can consume that directly and others need the file to be converted or stored and settings/config updated accordingly. There are many thousands of possible services which can consume these certificates and they all have their own unique configuration updates required, which is why scripting is so useful. We only really provide pre-built scripts for a small handful of these services and the rest are left as an exercise for the user (Scripting | Certify The Web Docs).

For your website on SERVER1, the easiest thing to do is run Certify on that actual server and use the default http validation to automatically get the certificate and apply it to IIS.

For the FTP site you can still use http validation because the ftp site is on the same server (and Certify knows how to automatically serve https challenge response on port 80 for any of the domains you manage on that server, even if there is no corresponding IIS site) but you will need your own script which you would apply with a Deployment Task and you may also need a Stop/Start/Restart Service task to restart the service when the cert changes (this varies depending on the service).

For exactly how to automate the certificate change fot WS_FTP you will have to ask the vendor, I’d guess it’s a registry or config file change, then a service restart.

For the Remote Desktop Gateway I would install another copy of Certify and manage that certificate there, however you could also acquire the certificate on SERVER1, then export certificate as PFX to a UNC share, then on your remote desktop gateway have a scheduled task to pickup the certificate file, import it into the certificate store and apply it to the RDP gateway. We have a basic RDP gateway Deployment Task, and the source for that script is here: certify-plugins/RDPGatewayServices.ps1 at master · webprofusion/certify-plugins · GitHub however it only attempts to address basic deployment, not server farms etc. So for other more advanced deployments you need to script it yourself.

For SonicWall Firewall, I’d suggesting asking the vendor how to script certificate updates for their product if you have a PFX file (which Certify can provide). We don’t have access to that product to develop any kind of specific solution for it ourselves.

Note that several of our Deployment Tasks support remote connections via SSH/SFTP, so it’s possible to export certificates to a unix/linux host that way and it’s also possible to remotely script using the Script task (to copy files, update configs and restart services).

If WS_FTP doesn’t support a scripted update there are potential workarounds (e.g. web form post via scripting) but otherwise you’d need to make updating that certificate a regular manual maintenance task. You could consider using BuyPass Go as the Certificate Authority instead of Let’s Encrypt, because the BuyPass certificates have a 180 day expiry, so require less frequent changes. Certify supports a number of different Certificate Authorities (Certificate Authorities | Certify The Web Docs)

1 Like

@webprofusion - Thank you so much for providing such a thorough and detailed clarification and confirmation of my own understanding. I fully understand and appreciate the value placed on your product. After just a little bit of “playing around” with the application for my personal project, I find it very intuitive and easy to understand and use. I know that doesn’t come without significant effort in the development process, and I believe the pricing definitely seems very reasonable - even a tremendous bargain - for the quality of the product you are providing. I certainly didn’t mean, in any way, to imply that I think the licensing tiers are “over-priced”. Please forgive me if my OP came across that way.

I’ve been looking at some of the less feature-rich options you mentioned but, as you said, they lack many of the benefits of your product, such as the number and variety of built-in deployment options, the support options, the automation. Since Certify is a commercial product, I understand that a lot more goes into ensuring it fits the needs of a commercial user. In my opinion, it is by far the best product I’ve seen available. I’m definitely going to push to get at least a Starter license if, for no other reason, than to support the ongoing development of this product.

Honestly, one of the reasons that I wanted to pose these questions here was because I had thought about the possibility of a single installation with some scripting to deploy the appropriate certs to their respective servers/devices, but I wasn’t 100% sure if that wasn’t just me looking for a “loophole” in the licensing agreement, or if that was an acceptable implementation. I’ve even started working a bit on putting together something to communicate with our firewall’s API to deploy that cert automatically so I figure, if I can get that one working, I could include the RDS and WS_FTP deployments as well.

Again, though, I want to truly thank you for taking the time to supply this answer.

No problem. I’m absolutely sure that with the right scripting you would be able to deploy all your required certificates from a single instance.

We are working on a longer term “Certify Server” product (Windows and Linux) which is specifically designed as a centralised certificate renewal and deployment system, aimed more at larger organisations who want to keep things like DNS credentials centralised but allow apps/services to pull their latest certificates (or to have certificates pushed to them), particularly on non-windows platforms. This is probably more than you really need for your own deployments and you should be able to achieve much of what you need with creative use of a single install on a windows server.

1 Like

Regarding SonicFirewall I should add that there is an option to use a custom CSR (one generated by the appliance), this is sometime necessary if there is no way for your to provide a private key file (just a public certificate file). This option is under Certificate > Advanced > Signing & Security.

1 Like