Wildcard certificate, Deploy on 4 or more hosting servers

We are novice users of this software and would like to know if it is possible to deploy two wildcard certificates created on my local machine to 4 or more hosting servers in the folder C: \ ProgramData \ Certify \ assets
We want to use these certificates in IIS.
As a result, I would have to refresh teh certificates my machine once and they will also be renewed on the hosting servers after deploy.

Hi John,

The intended way of working with Certify The Web is that you would install it on each server that needs it. So you should:

  • install the application on the server
  • create a new managed certificate (you will be required to create a contact with Let’s Encrypt first) and select the IIS site to be updated. If your site has hostname bindings then the domains to include in the cert will be suggested by the app for inclusion on the certificate, or you can manually add the domains.
  • On the preview tab you can see how the app plans to fetch the certificate and update the IIS Bindings.
  • Click request certificate and it should fetch the cert and auto apply it to IIS (depending on your configuration)

There are other ways of working with the app but this is the intended workflow.

Thanks for the quick response.
But we have created wildcard certificates on a server with domain validation after creating a DNS name.
We also want to use these same certificates on other servers, but actually also renew them automatically.
Could this be possible within the application? (deployment or some other way)

Hi John,

There is more than one way to achieve certificate re-use but one example way would be to:

  • Use DNS Validation to renew your certificates (on any machine)
  • Use the CCS Export deployment task to copy the certificate as a PFX file to a network share
  • Configure the use of CCS on your IIS servers so they can just automatically share the same certificate file.
  • Then, every time the main machine renews the certificate and deploys to CCS, all the other servers will pick up the new certificate(s).

Other options include using the certificate export task to export the certificate in multiple ways (depending on what’s required) - for instance this allows you to deploy the same certificate automatically to linux servers using ssh/sftp.

Thanks for this comment and that works fine for websites by pointing to Use Centralized Certificate store in the binding.
I also use secure FTP sites that use these certificates. However, here I have no option to indicate in the binding that these should use CCS.
Can you indicate how we could arrange this?

Sorry I don’t have a method to suggest for that, I assumed FTP supported CCS as well.

You could copy the files to a share and periodically pick them up with a script and apply them.

In future versions of the app we plan to have a feature where instances can fetch and apply the latest cert from a master server.

Thank you for your response again. That’s too bad. then this will remain a manual action.
Just another question for automated renewal.
Do I also have to choose the option “Certificates Store Only” for Deployment Mode under deployment? I have created a Task to store the certificates on a share and am using CCS in IIS.
Will the Task now run automatically when the certificates are renewed?

Hi John,
The best thing to do is just try these things out so you can get a feel for the capabilities but yes, the task will run automatically when the certificate is renewed. You can try it out by clicking ‘Request Certificate’ again to renew the cert (and run the task). Errors (if they occur) will be shown in the UI and the log. You can also just click the play button next to the Task to ensure that the task will run as a expected (check permissions etc).

You can leave the Deployment Mode set to Auto or Certificate Store Only, it shouldn’t matter as your main deployment is happening using the CCS task and from what I understand you are running this from your local machine not the server (?). If you are running it from one of the servers that is also using CCS then yes, you probably want to set that to No Deployment to avoid any confusion (because you are not using the machine certificate store, you’re using a CCS file store.

While you get familiar with the app I advise monitoring the success of renewals every month, although that’s generally not necessary.

As mentioned there is no particular need for manual actions as you can add your own custom scripting task, which is what most people use if there have any deployments to do that the app doesn’t provide a
built-in solution for: https://docs.certifytheweb.com/docs/script-hooks - scripts are passed all the information about the certificate (file and thumbprint etc) to help work with the certificate.