Get multiple TLS/SSL certificates using SNI automation
Server Name Indication (SNI) allows the web servers and network appliances to safely host multiple TLS/SSL certificates for multiple sites, all under a single IP address and port number. Instead of requiring a different IP address for each SSL site, you can use SNI to install and configure multiple SSL sites to one IP address.
Load balancers with support for SNI automation
A10
Amazon CloudFront
Amazon Elastic Load Balancer (ALB and NLB)
Citrix ADC
F5 BIG-IP LTM
Web servers with support for SNI automation
Microsoft IIS
Importante
SNI certificate automation can only happen on HTTPS bindings. To request additional certificates for an IP address/domain, you must have a TLS/SSL certificate installed on the IP/port of the sever or appliance.
Before you begin
For automation using Microsoft IIS server
Enable PowerShell on your machine.
If you do not have an HTTPS binding on your server, configure the IP address of the default HTTP binding for this port as All unassigned on the server.
If you have an HTTPS SNI binding on your server, configure the HTTPS SNI binding with the specific IP address and port on the server.
Create an automation event for SNI domains
In your CertCentral account, in the left main menu, go to Automation > Automated IPs.
On the Automated IPs page, find the common name for the IP/port for which you want an additional certificate.
In the Action column, select Add SNI.
On the automation request page, enter the common name and server name that you want the certificate to secure based on the automation location.
Microsoft IIS server
In the Common name field, enter the SNI domain name which you want to secure. The common name will be used as the server’s SNI domain name
Amazon CloudFront, ALB, NLB, Citrix, and F5 BIG-IP LTM load balancers
In the Common name field, enter the SNI domain name you want to secure.
(Optional) Select Make this the default site to set this site as the default site for all automation requests regardless of the load balancers.
Nota
You can only assign one site as a default. If a default site already exists, it does not replace your previous selection. This means that the certificate issued will only protect this specific domain you have entered.
A10 load balancers
In the Common name field, enter the SNI domain name you want to secure.
In the Server name field, enter the exact SNI domain name you want to secure when the common name is a wildcard domain. The server name must be unique and must not duplicate another server name. It has to be a valid FQDN.
(Optional) Select Make this the default site to set this site as the default site for all automation requests regardless of the load balancers.
Nota
You can only have one site as a default. If there is already a default site, it does not replace your previous selection. This means that the certificate issued will only protect this specific domain you have entered.
Provide the other required information and schedule the certificate automation.
What’s next
When the automation is complete, the certificate for the requested site will be issued and installed to the IP address and port.