I'm wondering if Plesk also will implent HTTP Strict Transport (or HSTS) Security in the GUI. It's an extra layer of security for sites who need to be extra secure.

It's being done with a special header (mod_headers for Apache) and a TLS connection. The client (browser) can then verify if the server is the real server and not a man-in-the-middle server/attack.

It's as simple as adding the following code to the vhost config (HTTPS only!):

Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Allow the ability to assign separate SSL certificates for multiple mail servers.

Please add Mailman support to Let's Encrypt.

Ideally, one could issue either a certificate directly for lists.domain.com or a wildcard certificate for *.domain.com.

Furthermore, a secure connection should be enforceable.

Thanks!

Please implement renewal of Let's Encrypt wildcard certificates through Plesk or command line.

As you probably know, Let's Encrypt supports ECDSA certificates. Shorter handshake time, fewer data to transfer, faster page load time in the result.

I suggest Plesk feature - add option choose between RSA and ECDSA certificate when signing with Let's Encrypt.

Best regards, Mike

We have a setup where webmail.example.com and example.com point to another server than our Plesk instance. Because of this we can't enable Let's Encrypt on Webmail since the CSR contains webmail.example.com and example.com.
So I hope you consider adding an option to only create webmail.example.com (without SAN example.com)

This is all about security, it's simply not a fully developed product without this facility and I am hugely shocked and surprised it doesn't already exist.

Currently, when giving users the ability to access SSL to add their own certificates, they can also view Let's Encrypt and create free certificates. It would be useful to allow users access to add their own certificates without giving them access to use Let's Encrypt and there is currently no way to do this.

Additionally, any users logging in to manage their domains can see Let's Encrypt (although cannot use it) and we keep getting asked about it, so it would be useful to hide this off for users unless they specifically need access.

SSL Certificate changes are currently not logged in Action Log in any way. Such changes should be logged as they are part of hosting settings.
Yet, they should reflect the certificate details (e.g. "Certificate A was changed to certificate B").

The Secure your sites SSL feature button should be visible, but greyed out, with a description at the bottom that says "You must have a dedicated IP to activate SSL" to prompt customers to follow the SSL setup in order and not attempt to create SSL certs without IP addresses.

If you have a .pfx file containing Certificate, Private Key and CA certificate, allow to upload that container with one step.

This way, a customer doesnt have to use tools like openssl to extract and convert the certificate themselves.

.pfx is the preferred format on windows plattforms ,e.g. when you export a certificate from another IIS-based server.

At the moment the CN of the wildcard certificate is still domain.com and not *.domain.com. The wildcard is just in the alternative domain names.
Please use the wildcard as the CN

Now Plesk uses RSA encryption method, but we would like to use ECC CSR support as it's considered more modern.

If a domain has SNI disabled from IIS > Site > example.com > Bindings, Plesk reverts it back to Enabled when it pushes changes to IIS.

It would be nice to have an option in the domain's SSL settings to turn ON/OFF SNI and lock it.

Please add functionality to add CSR for existing certificates.
Currently, it can be implemented using Linux command line:
https://stackoverflow.com/questions/9471380/create-csr-using-existing-private-key

The Plesk extension uses by default http-01 challenge, which doesn't work when the website is hosted on a private IP address.

The must be an option to choose the dns-01 challenge as proffered one. This functionality is currently missing :|

When adding a subdomain, it takes (at least at my webhoster) 15 min before the changes take effect. If one checked 'Secure the domain with Let's Encrypt' on the page 'Add a Subdomain', an error is thrown because the newly created subdomain is not available in time.

Therefore, I suggest taking this 'feature' off the 'Add a Subdomain' page.

By default, the Let's Encrypt extension pre-selects all alias domains of a domain to be included in the Let's Encrypt certificate. This can lead to some unwanted results, for example when one of the alias domains is removed from the DNS at a later stage (because it was only used for testing) which would result in Let's Encrypt being unable to renew the certificate.

It would be nice if there was an option that allows us to configure that alias domains should _not_ be selected by default in the Let's Encrypt extension.

I would like to be able to acquire SSL certificate of Let's Encrypt for subdomain of www.
For example
If example.com is another server, SSL certificate of www.example.com can not be acquired by Let's encrypt
I want you to be able to do it.

When securing Plesk with Let's Encrypt, the default certificate should be removed and/or the generated Let's Encrypt certificate should be set as the default one.

Such Let's Encrypt certificate should be automatically applied to mail too, and in such case, if server hostname is changed later, that certificate should be automtically reissued, or at least a warning should be generated.