Skip to main content

Get multiple TLS/SSL certificates using SNI automation

Server Name Indication (SNI) allows the web servers and network appliances to safely host multiple TLS/SSL certificates for multiple sites, all under a single IP address and port number. Instead of requiring a different IP address for each SSL site, you can use SNI to install and configure multiple SSL sites to one IP address.

Load balancers with support for SNI automation

  • A10

  • Amazon CloudFront

  • Amazon Elastic Load Balancer (ALB and NLB)

  • Citrix ADC

  • F5 BIG-IP LTM

Web servers with support for SNI automation

  • Microsoft IIS

Important

SNI certificate automation can only happen on HTTPS bindings. To request additional certificates for an IP address/domain, you must have a TLS/SSL certificate installed on the IP/port of the sever or appliance.

Before you begin

For automation using Microsoft IIS server

  • Enable PowerShell on your machine.

  • If you do not have an HTTPS binding on your server, configure the IP address of the default HTTP binding for this port as All unassigned on the server.

  • If you have an HTTPS SNI binding on your server, configure the HTTPS SNI binding with the specific IP address and port on the server.

Create an automation event for SNI domains

  1. In your CertCentral account, in the left main menu, go to Automation > Automated IPs.

  2. On the Automated IPs page, find the common name for the IP/port for which you want an additional certificate.

  3. In the Action column, select Add SNI.

  4. On the automation request page, enter the common name and server name that you want the certificate to secure based on the automation location.

    • Microsoft IIS server

      In the Common name field, enter the SNI domain name which you want to secure. The common name will be used as the server’s SNI domain name

    • Amazon CloudFront, ALB, NLB, Citrix, and F5 BIG-IP LTM load balancers

      • In the Common name field, enter the SNI domain name you want to secure.

      • (Optional) Select Make this the default site to set this site as the default site for all automation requests regardless of the load balancers.

      Note

      You can only assign one site as a default. If a default site already exists, it does not replace your previous selection. This means that the certificate issued will only protect this specific domain you have entered.

    • A10 load balancers

      • In the Common name field, enter the SNI domain name you want to secure.

      • In the Server name field, enter the exact SNI domain name you want to secure when the common name is a wildcard domain. The server name must be unique and must not duplicate another server name. It has to be a valid FQDN.

      • (Optional) Select Make this the default site to set this site as the default site for all automation requests regardless of the load balancers.

      Note

      You can only have one site as a default. If there is already a default site, it does not replace your previous selection. This means that the certificate issued will only protect this specific domain you have entered.

  5. Provide the other required information and schedule the certificate automation.

What’s next

When the automation is complete, the certificate for the requested site will be issued and installed to the IP address and port.