Currently we have our own IIS web server with just one website which listens to more than 200 domain names. That is because we have developed our own CMS (with our own CGI application), which is the same for all of our clients. The domain name determines which website must be shown to the visitor. This goes well, on our old Windows 2012 R2 server with IIS.
Usually, for each client, we have four bindings in IIS:
- clientname.com (port 80)
- clientname.com (port 443)
- www.clientname.com (port 80)
- www.clientname.com (port 443)
The port 443 bindings are generated with the Win-ACME command line interface while creating new certificates for a new domain.
Now we want to migrate our server from Windows 2012 R2 to Windows 2022. We'd like to start from scratch (to get rid of old stuff on the old server etc). So after installing IIS I only copied the port 80 bindings (from the applicationHost.config file) from the old IIS website to the new IIS website:
- clientname.com (port 80)
- www.clientname.com (port 80)
Ideally, Win-ACME should create new certificates for all domain names right after the server migration (the new server, after migration, will use the old IP addresses) so that I don't have to migrate the old certificates from the old server. I know that Win-ACME has a command line interface, but can it somehow be done automatically? If so, how?
Additionally, I'm not sure if we should start using wildcard certificates for our client domains. But we would if that would make things easier (with just one certificate per client instead of 2 like it is now).
By the way: we already have tested our IIS website and Let's encrypt with a temporary domain name like https://testserver.clientname.com and that goes well. So everything works as it should, but getting all those new https certificates for our clients up and running right after the server switch might be a problem.
Just as a test I tried to generate the certificates for all domain names all at once, so I tried to pick all bindings in Win-ACME, but Win-ACME wants to know the main host, which will be presented as the subject of the certificate. That will surely go wrong when all domain names are different. So, I'm not sure how to continue.