How to use UCC SSL certificate for multiple SANs to secure Azure and sites maintained by outside agencies
A client has many domains registered at GoDaddy. They also are starting to use Azure web Apps and have outside creative agencies developing websites, etc. for them. They also do in-house development.
For SSL purposes, we purchased a GoDaddy UCC SSL cert for up to 100 SANs.
Not being an SSL expert, I need guidance on how this UCC cert should be created and used for outside serivces (Azure / outside agencies).
I know we can create our own CSR in IIS, key the cert at GoDaddy and then install it in IIS on our own server (to secure, say, something.ourdomain.com). But what about for Azure and the outside agencies?
In Azure it seems like we create the CSR, export the cert in PFX format and upload to Azure.
What about the outside agencies? Do they create a CSR for us to then create a cert to export as PFX for them to install?
Not an SSL expert (as may be obvious from the above :^)
For SSL purposes, we purchased a GoDaddy UCC SSL cert for up to 100 SANs.
Not being an SSL expert, I need guidance on how this UCC cert should be created and used for outside serivces (Azure / outside agencies).
I know we can create our own CSR in IIS, key the cert at GoDaddy and then install it in IIS on our own server (to secure, say, something.ourdomain.com). But what about for Azure and the outside agencies?
In Azure it seems like we create the CSR, export the cert in PFX format and upload to Azure.
What about the outside agencies? Do they create a CSR for us to then create a cert to export as PFX for them to install?
Not an SSL expert (as may be obvious from the above :^)
ASKER
Hi David!
You've provided sage comments on some of my other posts - thanks for sharing your wisdom! I've used LetsEncrypt certs before (but about 2-3 years ago) and they were a bit buggy - and I only used them for local IIS certs. Not sure how they would translate to Azure, outside vendors, etc. And how would they auto-renew every 3 months in those cases (Azure, outside vendors, etc.)?
You've provided sage comments on some of my other posts - thanks for sharing your wisdom! I've used LetsEncrypt certs before (but about 2-3 years ago) and they were a bit buggy - and I only used them for local IIS certs. Not sure how they would translate to Azure, outside vendors, etc. And how would they auto-renew every 3 months in those cases (Azure, outside vendors, etc.)?
You may request ucc SAN cert or wildcard cert
It depends on if your all web sites are part of same domain with different hostnames (ex:host1.domain.com, host2.domain.com and so on), u can get wildcard cert
OR
If all web sites pointing to multiple domains, you need UCC certificate
All u need is use ssl cert website to generate certificate with require host or u can even use custom cert request generated through mmc console on any windows machine and get cert from public ca
Note that from machine where you request cert, private key remain on that machine so install cert 1st on that machine and export it in pfx
In order to export in pfx format cert must be requested by marking private key exportable bit true
Cert requested through ca web site always have this bit true
Cert requested if through mmc, you must manually set this within cert request
Exported pfx file can be distributed to vendors with secure password, ensure that vendors will not misuse pfx file with password as it contains entire cert with key pair
It depends on if your all web sites are part of same domain with different hostnames (ex:host1.domain.com, host2.domain.com and so on), u can get wildcard cert
OR
If all web sites pointing to multiple domains, you need UCC certificate
All u need is use ssl cert website to generate certificate with require host or u can even use custom cert request generated through mmc console on any windows machine and get cert from public ca
Note that from machine where you request cert, private key remain on that machine so install cert 1st on that machine and export it in pfx
In order to export in pfx format cert must be requested by marking private key exportable bit true
Cert requested through ca web site always have this bit true
Cert requested if through mmc, you must manually set this within cert request
Exported pfx file can be distributed to vendors with secure password, ensure that vendors will not misuse pfx file with password as it contains entire cert with key pair
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks David and Mahesh!
I'm going to look at LetsEncrypt more closely - perhaps we can get that to work in this instance. Mahesh - your explanation was very helpful about how to generate / distribute the SSL.
I'm going to look at LetsEncrypt more closely - perhaps we can get that to work in this instance. Mahesh - your explanation was very helpful about how to generate / distribute the SSL.
Lets Encrypt certs are not useful unless you have automated solution to auto renew and apply certs every 3 months since you have 100+ websites
LetsEncrypt auto renewal is simple.
A one line CRON entry as follows will both renew certs when renewal is required + also restart services which must reingest each cert.
I normally run hourly CRON jobs because certbot-auto only does work when a cert expires + by running hourly renewals, this avoids LetsEncrypt rate limits, if there are many certs on one machine.
In the case 3rd party services, PhantomJS scripting will be beneficial, especially if 100s to 1000s of certs are involved.
A one line CRON entry as follows will both renew certs when renewal is required + also restart services which must reingest each cert.
0 */1 * * * (echo '#####' && date && certbot-auto renew --non-interactive --post-hook "service apache2 reload") >> /var/log/ssl-renewals.log 2>&1I normally run hourly CRON jobs because certbot-auto only does work when a cert expires + by running hourly renewals, this avoids LetsEncrypt rate limits, if there are many certs on one machine.
In the case 3rd party services, PhantomJS scripting will be beneficial, especially if 100s to 1000s of certs are involved.
Thanks David !
Ouch.
Better to use LetsEncrypt free certs.
You can generate individual certs to cover specific hosts or wildcard certs to cover entire domains.
Keep in mind, if you made this purchase recently, you can always request a refund. Unsure number of days GoDaddy honors refunds + might be worth it to check.
A UCC cert is just a cumbersome way to cover many hosts + domains in a single cert.
Keep in mind, here's where it gets sticky.
Last time I tried using a GoDaddy UCC cert... wow... probably 5+ years ago it was a nightmare, because every time I added a new property (host or domain) to the cert it invalidated the existing cert across all sites... which then required the full chain or cert file into whatever system was using the cert. This becomes extremely time consuming.
Worse. This means every time you add a host/domain, you invalidate the cert everywhere.
GoDaddy may have fixed this or this might be part of the SSL standard.
I'm unsure, because I switched to using free LetsEncrypt certs around the same time, so gave up on the GoDaddy UCC nonsense.
Note #1: Best to research UCC certs + determine if you'll have to hire an army of people to update certs every where each time you add a new host/domain.
Note #2: Any cert - simple, UCC, wildcard - works the same, so there's nothing special you must do to use one cert over another.
Note #3: You said, "Not an SSL expert" + you're talking about covering many properties with SSL certs. I suggest you hire someone.
Here's why. I just recently worked on an SSL cert problem... which occurred because someone failed to understand how SSL cert configurations are best managed across... geez... must have been 40ish sites...
I finally had to just delete all cert configs + start over from scratch, using LetsEncrypt certs.
Once retooled, in a sensible manner, all sites worked first Apache restart.
Certs aren't that complex to get working correctly if there's a solid policy about how to do this from the start.