I am a first time use. I managed to install certificate to my IIS server using letsEncrypt as CA. I have IIS server running on multiple hosts(srv1, srv2, etc) and I would like to use one centralized server to install and manage the certificates. That is, I should be able to validate, install and bind a certificate for a remote server. Is it something doable? or I have to install the software at each server?
Typically the app is installed on each server that needs certificates but it depends on your requirements. We do also offer a basic dashboard so that renewals are reported into a central location on your certifytheweb.com profile
When requesting/renewing certs from Let’s Encrypt and other automated CAs there is a requirement to automatically verify your control of the domains you want to include on the certificate. This can be either http validation (your server serves a specific text response at a specific url) or DNS validation (your domain DNS has a specific TXT record with the correct value).
The default method of validation is http, and if each of your servers hosts different domains then you install the app on each server and create a managed certificate for each IIS site.
If your servers are load balancing requests for the same set of domains across multiple servers then I recommend DNS validation instead. This method automatically sets a TXT record to validate each domain, every time a cert needs to be requested/renewed.
You can also use DNS validation to centralise certificate requests, as one server could request and validate the certs, then use the CCS Deployment Task to export the certificates to a share that the other servers can use as a CCS store. With CCS the binding maintenance is automated by the operating system, which just looks to a share for the certificate files with matching file names for each domain/subdomain.
We intend to have a server product optimised for centralised cert management later this year but deployment will still rely on a per-server component (or deployment tasks) to manage bindings etc.
I have a similar setup; multiple IIS installs. I am using centralized certificates, which means I have the certificates stored at a network location. I only need to create one certificate and place it in the correct place for this to work (the certificate just needs to be named as per the site). You can read more about that elsewhere.
Within Certify this means I just need to do this:
- Add new managed certificate
- Under ‘Certificate’ > advanced > signing & security set the password
- Under tasks add ‘Deploy to CCS’
After that - assuming everything is setup OK - all the servers will look to that folder for the latest certificates.
Hope that helps.
EDIT: One more thing! I also needed to turn of the internal http challenge server; this is because let’s encrypt might come into the shared IP and hit a different web server than where certify is installed.