1

I'm trying to find a large-scale solution for setting up multiple domains, and their sub-domains, with SSL certs. This is on the order of thousands of websites across a couple dozen load-balanced servers. (We're a .NET shop, if that's helpful)

Ideally, we could implement something without having to individually purchase certs for each domain (doesn't scale well) though I suppose I can find a creative solution if that's just a necessary step.

UCC doesn't seem to be ideal, because of the association made between the domains and the lack of being able to upgrade to add additional domains on the fly. These are for different individual customers, so the degree of separation is an unfortunate necessity, and flexibility is vital since the number of websites isn't static.

Has anyone found a solution for something like this? I'd even take some creative ideas just to get the ball rolling.

(Long time user of the site, but first time asking a question, so if I can improve this with any specifics please of course let me know.)

Improve this question
3
  • Automate letsencrypt.org ? Commented Mar 22, 2016 at 16:03
  • @ceejayoz Just being pedantic, but Let's Encrypt needs to be automated, else its purpose is defeated. Nobody wants to be renewing all their certs by hand every 90 days :) Commented Mar 22, 2016 at 17:28
  • letsencrypt.org will definitely work in this situation... They will just need to put together a .NET app to handle the certificate renewals for all their systems. Unfortunately, there are no official LetsEncrypt clients for Windows... There are some unofficial though: community.letsencrypt.org/t/list-of-client-implementations/2103 Commented Mar 22, 2016 at 18:20

1 Answer 1

Reset to default
1

There's multiple options here, and the important one is whether or not your server and client infrastructure supports SNI.

If you have SNI support, then my suggestion would be to generate an individual, trusted certificate for each site/domain/subdomain you need. Don't fret, with the advent of Let's Encrypt from the EFF, getting as many trusted certificates as you need is trivial.

If you do not have SNI support (due to old clients, or a version of IIS that does not support this), then a SAN certificate might be the way to go. Again, you can get these from Let's Encrypt. Just generate a single cert with all the SANs you required. But every time you change the list of domains you need coverage for, you have to regenerate your certificate (and depending on how you have deployed it, you might have to deploy it to every applicable host again). However, you have indicated that this is not ideal for you, as you want to maintain seperation between many of these domains.

Apart from SNI with individual certs, and a SAN cert, the 3rd common way is to put something like Cloudflare infront of all your sites, and let them do the SSL certificates for you. The nice thing about this is that you get your SSL termination latency reduced too, as clients do their SSL negotiation with Cloudflare, with presumably a closer POP than you would have on your own.

Improve this answer
2
  • 1
    Keep in mind with LetsEncrypt and SAN certs, there are rate limits that may come into play. community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769 Commented Mar 22, 2016 at 18:07
  • This is perfect, thank you! We do have SNI support, so we're going to look at automating the process through Let's Encrypt. Didn't know it was so widely supported! Also looking at the cloud-based solution, since they'll do the heavy lifting and we won't have to deal with the LBs processing the certs. Thanks Mark! Commented Mar 22, 2016 at 18:38

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.