ridercz
Multiple domains (SAN) with one certificate
At the moment I don't see a commandline option for supporting this, but it would be great!
SAN certificates are not supported on purpose. They do not make sense in AutoACME.
AutoACME is relying heavily on Centralized Certificate Store feature in IIS. This technology basically requires that each and every host name used has its own .pfx file. Supporting multiple host names per certificate would bring exactly nothing: CCS would still require separate file for each host name. It would just make things more complicated, because AutoACME would need to manage multiple files per host. It's far easier to just issue each host its own certificate.
In view of the recently entacted restriction of 20 certificates per domain I changed my position. It still does not make sense from IIS+CCS perspective, but it DOES make sense by allowing to get certificates for 2000 hosts instead of 20 hosts.
So I'll think about how I can implement this into AutoACME. Don't get your hopes too high, though. I maintain this project in my spare time, mainly to solve my personal requirements and this isn't one of them, so it does not have high priority. Of course, you are more than welcome to join the development efforts.
The changes in #33 introduce basic SAN support as follows:
- In the config file, the CommonName of hosts may now contain a list (space, comma or semicolon-separated) of hostnames. The first name will be the CN of the certificate, the others will be alternative names.
- When exporting to PFX (and optionally PEM/CER) the same certificate file will be stored multiple times for each domain name. This enables the IIS centralized store to work correctly.
- Manually creating SAN certificates works like this:
autoacme addhost "example.com www.example.com" - While IISSync should not break with SAN certificates in place, it will currently not create SAN certificates on its own since it is not clear which hosts should be grouped together into one certificate (one per site maybe?).
