So, you want to generate a single, free and valid SSL certificate for all your domains? Well, you’ve come to the right place!
A tool that will do exactly that for you, is called letsencrypt-win-simple: A Simple ACME Client for Windows.
The tool generates free and valid SSL certificates for one or more sites/hostnames that have been binded in IIS running on the local machine.
The tool is compatible in at least Windows Server 2008, and not compatible in Windows XP.
In this article, “domain” means the DNS name of a site, “site” is an HTTP site that you have setup in IIS, “hostname” is a domain name for which you have setup a binding in IIS, and on which IIS will respond when you e.g. request the binded domain name in a browser, and “SAN certificate” is a type of SSL certificate that allows multiple domains.
The sites should be binded to HTTP hostnames, not HTTPS hostnames, in IIS, on the sites for which you want to generate SSL certificates. The tool will automatically add the relevant HTTPS bindings in IIS to all the sites for which you generate a certificate. Very neat.
The tool cannot generate a certificate for a wildcard domain, e.g. *.domain.com.
However, it can create a single certificate, called a SAN certificate, that covers multiple explicit domains, e.g. host1.domain.com, host2.domain.com, host1.otherdomain.com, etc.
You can then effectively catch all the domains you which to host, using a single SSL certificate. When you need to add (“catch”) an extra domain, just generate a new SAN certificate that includes the extra domain name.
It’s probably not safe, anyway, to let a SAN certificate catch wildcard domains. Reason is, say you own domain.com and would like to provide SSL on https://host1.domain.com and https://host2.domain.com. If a hacker manages to take control of https://host3.domain.com, and you had a wildcard SAN certificate for *.domain.com, then you will have granted to the hacker an opportunity to steal your users’ information. Awesome! No.
- Download and extract the tool from here.
- Make sure IIS and all necessary sites are started. Run inetmgr in Windows to make sure.
- In a command prompt, run letsencrypt –san to enable the functionality to generate a certificate with multiple domains.
- Choose option S to begin the process of generating a SAN certificate.
- Enter comma-separated list of IIS site IDs (not the domain names; the site IDs assigned to each site by IIS).
- The certificates are normally valid for about 90 days. Allow the tool to automatically renew the certificate(s) for you, by automatically adding a scheduled task.