Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple domains (SAN) with one certificate #4

Open
jjh71 opened this issue Jan 9, 2018 · 3 comments
Open

Multiple domains (SAN) with one certificate #4

jjh71 opened this issue Jan 9, 2018 · 3 comments

Comments

@jjh71
Copy link

jjh71 commented Jan 9, 2018

At the moment I don't see a commandline option for supporting this, but it would be great!
@ridercz
Copy link
Owner

ridercz commented Jan 9, 2018

SAN certificates are not supported on purpose. They do not make sense in AutoACME.

AutoACME is relying heavily on Centralized Certificate Store feature in IIS. This technology basically requires that each and every host name used has its own .pfx file. Supporting multiple host names per certificate would bring exactly nothing: CCS would still require separate file for each host name. It would just make things more complicated, because AutoACME would need to manage multiple files per host. It's far easier to just issue each host its own certificate.

@ridercz ridercz closed this as completed Jan 9, 2018
@ridercz
Copy link
Owner

ridercz commented Feb 20, 2018

In view of the recently entacted restriction of 20 certificates per domain I changed my position. It still does not make sense from IIS+CCS perspective, but it DOES make sense by allowing to get certificates for 2000 hosts instead of 20 hosts.

So I'll think about how I can implement this into AutoACME. Don't get your hopes too high, though. I maintain this project in my spare time, mainly to solve my personal requirements and this isn't one of them, so it does not have high priority. Of course, you are more than welcome to join the development efforts.

@ridercz ridercz reopened this Feb 20, 2018
@avonwyss
Copy link
Collaborator

The changes in #33 introduce basic SAN support as follows:

  • In the config file, the CommonName of hosts may now contain a list (space, comma or semicolon-separated) of hostnames. The first name will be the CN of the certificate, the others will be alternative names.
  • When exporting to PFX (and optionally PEM/CER) the same certificate file will be stored multiple times for each domain name. This enables the IIS centralized store to work correctly.
  • Manually creating SAN certificates works like this: autoacme addhost "example.com www.example.com"
  • While IISSync should not break with SAN certificates in place, it will currently not create SAN certificates on its own since it is not clear which hosts should be grouped together into one certificate (one per site maybe?).

@avonwyss avonwyss mentioned this issue Nov 28, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@avonwyss @ridercz @jjh71