We have multiple domains all pointing to the same website instance in IIS running on our dedicated windows web-server using a multi-domain SSL Certificate and when we add a new domain (via a webpage) we wanted to automate the process via a script.
I am looking for a script that allows me to add a new domain to my existing multi-domain SSL Certificate, and then renew the certificate to include the newly added domain.
Is a script the best option (as we already have our certificates in CertifyTheWeb), or am I better off using one of the ACME Client Implementations of LetsEncrypt?
Assumptions: the domain is already pointing to our IIS 10 Windows 2016 server and pointing to existing web-instance using an existing multi-domain SSL Certificate
Hi, so you can currently do something like this using the the CSV import (just import one item) https://docs.certifytheweb.com/docs/csv-import (then run certify renew to kick off the certificate order/binding process. However, this won’t update your existing single certificate and will instead create another managed certificate just for the new domain(s) - so if you don’t mind your website having multiple https bindings that will work OK.
If you need to only have one https binding to a single cert that contains all your domains then you’d currently need to manipulate the settings in C:\ProgramData\Certify\manageditems.db (SQLite database, you can use https://sqlitebrowser.org/ to examine this database) to add the domains you need to the existing managed certificate and update the expiry date to force your next renewal, then you’d need to use the CLI to perform a renewal certify renew.
In the upcoming v5 version we are adding a client API which is accessible from .net or powershell, this will allow you to add new managed certificates and we may be able to include the ability to add domains to an existing managed cert.
Note that a certificate from Let’s Encrypt has a maximum of 100 subject alternative names (other domains) per certificate. Other ACME services (such as BuyPass GO, which we are adding support for) only allow one domain per certificate. So for scalability you probably want to consider having an https binding per domain (or domain + www. combination)
Hi, thanks, That worked a treat! Looking forward to V5 .net API inclusion.
Cheers, Rod