I’m starting to investigate the possibility of migrating the SSL certificates for my company to Let’s Encrypt certs. I have a personal “pet project” for which I have a website set up that I’ve been using to test out the Certify application, and it seems to work great for creating and deploying a wildcard certificate for my IIS and FileZilla FTP servers on that box (I just added a couple of “On Success” tasks to export the certificate and private key files to a local directory then restart the FileZilla service).
Now I’m considering the implementation for my “day job” production environment but, of course, things are a bit more complicated there. I have a total of four certificates that will need to be managed, and they are only for subdomains (the “main” domain certificate is managed/handled by a 3rd-party hosting provider):
- Client portal IIS website (
client.example.com
) - On SERVER1 - WS_FTP FTPS/SFTP server (
ftp.example.com
) - On SERVER1 - Remote Desktop Gateway (
rd.example.com
) - On SERVER2 - SonicWall TZ400 firewall (
fw.example.com
) - standalone appliance
I see in the Certify application’s UI that it apparently has the capability to automatically deploy to a Remote Desktop Gateway as a Deployment Task, so that has me somewhat excited. I’m just a little disappointed that it seems I’m going to need to purchase the Professional license to actually keep the renewal and deployment of these four certs automated since that service is running on a separate server than the IIS service. Also, unless I’ve overlooked something, the SonicWall and WS_FTP servers are still going to require a little manual intervention to actually deploy the certificates which, while I’m certain will still be easier than going through the entire process manually, leaves me with plenty of room for error with the frequency of the renewals.
I guess my “New User Questions” at this point are more in the line of asking for confirmation on my understanding of how to deploy the Certify application as I’ve outlined above:
- Is there any way around the “limitations” I mentioned above for the SonicWall firewall (TZ400 on SonicOS 6.5) and WS_FTP? That is, is anything currently in development to help automate deployment to either or both of these systems? I read the Scripting to SonicWall Firewall post here in the community which discusses the possibility of using the SonicOS API, but there hasn’t been much activity there since that option was brought up. A way to automate the WS_FTP deployment as well would just make my entire decade.
- Do I understand the licensing correctly in that I will need to get the Professional license to manage just four certificates (or 2x the Starter license)? I mean, I love the product and I’m more than willing to pay for a license because I know that it’s absolutely worth the investment and the price definitely seems reasonable to me, the IT Department. I just also know that I may find it difficult to extract the ~$100USD price tag (actually about $67/year to keep an ongoing Professional license) from those who hold the purse strings when they could spend less by purchasing the individual paid certs.
I have some other questions more to do with recommendations and/or best-practice type of stuff, but I can ask those in a different thread. Thank you all for this truly fantastic product.