While our site can have a primary domain and additional domains as the domain pointers pointing to it, only one SSL certificate can be installed per site. This is a stopping factor for those who need to point multiple domains to the same site and require all of them to be protected with https protocol. The only solution in this case it to purchase and install Multi-Domain certificate from some other SSL reseller as we do not resell Multi-Domain certificates.
While the prices of Multi-Domain certificates can get very high, fortunately, there is a free Multi-Domain certificate we can obtain from Let’s Encrypt. The process of obtaining, approving, and installing Let’s Encrypt certificate manually can be tedious, confusing, and frustrating, but luckily for us, there are software called ACME clients that will simplify those tasks. For the purpose of this tutorial, I will use the following domain names all pointing to the same Winhost site:
alaskafoxes.online – Primary Domain
alaskafoxes.shop – Domain Pointer
alaskafoxes.store – Domain Pointer
All of the domains are using CloudFlare DNS Services. I will use
Certify The Web Desktop ACME client to obtain and manage Let’s Encrypt certificates. It will be connecting to the CloudFlare account and will create DNS entries to use DNS-01 Challenge validate the domain. It is important to note that this is the only challenge type that can be used to obtains Wildcard type certificate.
All of my three domains are now using CloudFlare DNS services and A Records are pointing to my Winhost site, so I can go to the next step of obtaining
Global API Key from my CloudFlare account. Login to your CloudFlare account and navigate to
API Tokens section. Click on
View button next to
Global API Key, enter your CloudFlare account password and press View button. Copy the Global API Key shown and save it to a secure place. This key with CloudFlare email address will be used by Certify the Web client to create DNS record required to obtain the certificate.
When Certify the Web is installed, open it and go to Settings –> Certificate Authorities. Select Let’s Encrypt option in Prefer Certificate Authority drop-down box and hit New Account button
Select Let’s Encrypt from Certificate Authority drop-down box, enter your email address, agree to the terms, and hit Register Contact button.
Let’s Encrypt account was registered successfully, and is shown on Settings –> Certificate Authorities page
Now let’s connect our client to CloudFlare: go to Settings –> Stored Credentials –> Add New Stored Credentials
On the Add/Update Store Credential page, select CloudFlare DNS API from Credential Type drop-down box, enter the name for your credentials such as CF, and paste you Global API Key you obtained earlier in Auth Key filed. Enter the email address of your CloudFlare account in Email Address filed. Hit Save once done.
Now let’s create another stored credential to store a password that will be used to protect PFX file of the certificate. We will use this password to import PFX file to Winhost site. Hit Add New Stored Credentials button again and in Credential Type drop-down box select Password. Give the stored credential a name such as PFX Password, enter the desired password, and hit Save button.
Now go to Managed Certificates section and hit New Certificate button
Now let’s add all common names to the certificate we would like to protect. There will be three wildcard common names and three “naked” domains, i.e. this certificate will protect all domains, and all their sibdomains: everything. I will need to add the following entries:
alaskafoxes.online
*.alaskafoxes.online
alaskafoxes.shop
*.alaskafoxes.shop
alaskafoxes.store
*.alaskafoxes.store
I will start pasting those entries one by one in Add domains to certificate field and hitting “+” button to add them until I have them all listed as shown on the next screen shot. I decided to set *.alaskafoxes.online as my primary domain under Primary column. When adding wildcard common name the message warns you that you need to setup DNS challenge for that type of certificate which will do later on.
Navigate to Advanced section and select Let’s Encrypt from Certificate Authority drop-down box
Navigate to Signing & Security page, scroll down Security section, and select PFX Password that we created earlier from the drop-down box .
Next, go to Authorization section and in Challenge Type drop-down box select dns-01. Select CloudFlare DNS API in DNS Update Method drop-down box. Select CF credential that we created earlier in Credentials drop-down box. Click on “…” button next to DNS Zone Id filed. The domains of your CloudFlare accounts will be populated in the DNS Zone Id filed. I am selecting my first domain, alaskafoxes.online. It will be replaced with a Zone Id identifier. Since DNS propagation takes time, the default 60 seconds is not enough. I will increase it to 600 seconds. Hit Add Configuration button.
When you hit Add Configuration button, in the configuration above that we just filled out there additional text box appears called Domain Match. The software hides this filed initially not to confuse the users as most of the users are ordering certificate for one domain. However, when Muti-Domain certificate is ordered, we will need to enter the exact common names separated by a semicolon. So go back to Authorization Settings of the first domain, alaskafoxes.online and enter the following in Domain Match text field:
*.alaskafoxes.online;alaskafoxes.online
Verify the configuration for the first domain, and scroll down to the configuration section of the next domain
I will have the same configuration for next Authorization Settings for another domain, alaskafoxes.shop, except selecting DNS Zone Id for alaskafoxes.shop and in Domain Match filed entering
*.alaskafoxes.shop;alaskafoxes.shop
I will do the same for my last domain, alaskafoxes.store, adding the following in the Domain Match filed:
*.alaskafoxes.store;alaskafoxes.store
Now it is time to save changes by hitting Save button and then proceed with certificate request by pressing Request Certificate button in the top-right corner.
The certificate manager will create required TXT records in CloudFlare and will attempt to verify them in 10 minutes as we entered 600 seconds in Propagation Delay Seconds. If all information are entered correctly, the certificate will be issued and placed to the following directory on your machine:
C:\ProgramData\certify\assets\
To verify the certificate was issued correctly and includes all domains, I will import / install that certificate on my local machine and check its subject alternative names
Everything looks correct, so I will proceed installing that certificate on my Winhost test account following the instructions in
this article.
The certificate was successfully installed. The site was assigned with an Unique IP address and all domains and subdomains are now protected.
The Certify the Web certificate manager will display the list of the current certificates and their expiration date.
The certificate will be renewed automatically by the certificate manager. All you need to do after the certificate renewal is to grab PFX file of the new certificate and install it on your Winhost site. The renewal settings tells when the certificate renewal will take place. By default, the renewal mode is set to 75% of the certificate lifespan. Therefore, if Let's Encrypt certificate is being issued for 90 days, then the renewal will occur on the day 63 from the date when the certificate was issued.