Support for www and non-www domain? about certify HOT 6 CLOSED

Thanks Rick, the issue here is that we currently don't support SAN (Subject Alternative Name) - where you can associate a bunch of dns names with one cert. I just need to think about the right UI - you may have existing, even non-free, certs for other bindings that you might want to keep etc.

from certify.

FWIW, I can create two separate certs one for www. and one for the non-www binding and that works. But that adds a bit of overhead in managing the connection.

So are you saying that it's possible to do this with ACME but not with Certify (currently)?

Normally when you register a domain and you register for www. you automatically get the non-www version of the cert as well. I think the UI for that would be simple enough - a checkbox for base domain would do the trick (enabled only if you're specifically targeting a subdomain).

I'd help but frankly I don't know enough about the details of the cert process - I'm more like an end user who's excited about being able to more easily automate the certificate management and run all of my sites under SSL.

from certify.

Yes it's possible to do this with the command line - you perform individual authorizations (challenge/response) for each variation to be used in the same cert, then specify all of those identifiers when requesting the final cert. https://github.com/ebekker/ACMESharp/wiki/Quick-Start#7-request-and-retrieve-the-certificate.

The challenge for me is that I don't just want to handle www.domain.com and non-www, I want to do www.domain.com, domain.com, api.domain.com, api.domain.io etc in one cert, because older (non-SNI) versions of IIS need a single IP per SSL cert binding. But I agree we should just present all domains bound for a specific IIS site and provide the option to authorise and certify them all in one operation. The UI also needs proper progress/background worker setup as multi domains sites could take a while to process.

from certify.

Poking around in the Vault I see this:

{
  "$type": "ACMESharp.PKI.CsrDetails, ACMESharp",
  "CommonName": "www.foxcentral.net",
  "AlternativeNames": null,
  "Country": null,
  "StateOrProvince": null,
  "Locality": null,
  "Organization": null,
  "OrganizationUnit": null,
  "Description": null,
  "Surname": null,
  "GivenName": null,
  "Initials": null,
  "Title": null,
  "SerialNumber": null,
  "UniqueIdentifier": null,
  "Email": null
}

Seems to me that there is explicit support for AlternativeName.

I think it's much less important to get all the domain prefixes to work, but www. and the base domain is such a common scenario.

from certify.

@RickStrahl could you find a solution for this? I am having the same problem. thanks

from certify.

This (SAN support plus UI to select which domains to combine cert for) is being addressed currently in a new branch. See also the SAN tracking issue #28

from certify.