Generate a free and valid SAN SSL certificate for multiple domains

So, you want to generate a single, free and valid SSL certificate for all your domains? Well, you’ve come to the right place!

A tool that will do exactly that for you, is called letsencrypt-win-simple: A Simple ACME Client for Windows.

Download the tool from this link.

The tool generates free and valid SSL certificates for one or more sites/hostnames that have been binded in IIS running on the local machine.

The tool is compatible in at least Windows Server 2008, and not compatible in Windows XP.

In this article, “domain” means the DNS name of a site, “site” is an HTTP site that you have setup in IIS, “hostname” is a domain name for which you have setup a binding in IIS, and on which IIS will respond when you e.g. request the binded domain name in a browser, and “SAN certificate” is a type of SSL certificate that allows multiple domains.

The sites should be binded to HTTP hostnames, not HTTPS hostnames, in IIS, on the sites for which you want to generate SSL certificates. The tool will automatically add the relevant HTTPS bindings in IIS to all the sites for which you generate a certificate. Very neat.

The tool cannot generate a certificate for a wildcard domain, e.g. *.domain.com.

However, it can create a single certificate, called a SAN certificate, that covers multiple explicit domains, e.g. host1.domain.com, host2.domain.com, host1.otherdomain.com, etc.

You can then effectively catch all the domains you which to host, using a single SSL certificate. When you need to add (“catch”) an extra domain, just generate a new SAN certificate that includes the extra domain name.

It’s probably not safe, anyway, to let a SAN certificate catch wildcard domains. Reason is, say you own domain.com and would like to provide SSL on https://host1.domain.com and https://host2.domain.com. If a hacker manages to take control of https://host3.domain.com, and you had a wildcard SAN certificate for *.domain.com, then you will have granted to the hacker an opportunity to steal your users’ information. Awesome! No.

Steps:

  1. Download and extract the tool from here.
  2. Make sure IIS and all necessary sites are started. Run inetmgr in Windows to make sure.
  3. In a command prompt, run letsencrypt –san to enable the functionality to generate a certificate with multiple domains.
  4. Choose option S to begin the process of generating a SAN certificate.
  5. Enter comma-separated list of IIS site IDs (not the domain names; the site IDs assigned to each site by IIS).
  6. The certificates are normally valid for about 90 days. Allow the tool to automatically renew the certificate(s) for you, by automatically adding a scheduled task.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s