I'm wondering if Plesk also will implent HTTP Strict Transport (or HSTS) Security in the GUI. It's an extra layer of security for sites who need to be extra secure.

It's being done with a special header (mod_headers for Apache) and a TLS connection. The client (browser) can then verify if the server is the real server and not a man-in-the-middle server/attack.

It's as simple as adding the following code to the vhost config (HTTPS only!):

Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Allow the ability to assign separate SSL certificates for multiple mail servers.

Please add Mailman support to Let's Encrypt.

Ideally, one could issue either a certificate directly for lists.domain.com or a wildcard certificate for *.domain.com.

Furthermore, a secure connection should be enforceable.

Thanks!

Currently, when giving users the ability to access SSL to add their own certificates, they can also view Let's Encrypt and create free certificates. It would be useful to allow users access to add their own certificates without giving them access to use Let's Encrypt and there is currently no way to do this.

Additionally, any users logging in to manage their domains can see Let's Encrypt (although cannot use it) and we keep getting asked about it, so it would be useful to hide this off for users unless they specifically need access.

SSL Certificate changes are currently not logged in Action Log in any way. Such changes should be logged as they are part of hosting settings.
Yet, they should reflect the certificate details (e.g. "Certificate A was changed to certificate B").

If you have a .pfx file containing Certificate, Private Key and CA certificate, allow to upload that container with one step.

This way, a customer doesnt have to use tools like openssl to extract and convert the certificate themselves.

.pfx is the preferred format on windows plattforms ,e.g. when you export a certificate from another IIS-based server.

Now Plesk uses RSA encryption method, but we would like to use ECC CSR support as it's considered more modern.

If a domain has SNI disabled from IIS > Site > example.com > Bindings, Plesk reverts it back to Enabled when it pushes changes to IIS.

It would be nice to have an option in the domain's SSL settings to turn ON/OFF SNI and lock it.

As you probably know, Let's Encrypt supports ECDSA certificates. Shorter handshake time, fewer data to transfer, faster page load time in the result.

I suggest Plesk feature - add option choose between RSA and ECDSA certificate when signing with Let's Encrypt.

Best regards, Mike

This is all about security, it's simply not a fully developed product without this facility and I am hugely shocked and surprised it doesn't already exist.

When adding a subdomain, it takes (at least at my webhoster) 15 min before the changes take effect. If one checked 'Secure the domain with Let's Encrypt' on the page 'Add a Subdomain', an error is thrown because the newly created subdomain is not available in time.

Therefore, I suggest taking this 'feature' off the 'Add a Subdomain' page.

By default, the Let's Encrypt extension pre-selects all alias domains of a domain to be included in the Let's Encrypt certificate. This can lead to some unwanted results, for example when one of the alias domains is removed from the DNS at a later stage (because it was only used for testing) which would result in Let's Encrypt being unable to renew the certificate.

It would be nice if there was an option that allows us to configure that alias domains should _not_ be selected by default in the Let's Encrypt extension.

I would like to be able to acquire SSL certificate of Let's Encrypt for subdomain of www.
For example
If example.com is another server, SSL certificate of www.example.com can not be acquired by Let's encrypt
I want you to be able to do it.

When securing Plesk with Let's Encrypt, the default certificate should be removed and/or the generated Let's Encrypt certificate should be set as the default one.

Such Let's Encrypt certificate should be automatically applied to mail too, and in such case, if server hostname is changed later, that certificate should be automtically reissued, or at least a warning should be generated.

Currently, to install a manual certificate:

1. Copy private key, paste private key, update Cert and CA
2. Go to Web Settings, change certificate to new one

Proposed process:

1. Select "Add Certificate" option next to the certificate
2. Private key automatically reused (perhaps read-only or hidden by default)
3. Name, Insert/Upload Certificate and CA
4. Show a "Replace certificate" option, that will update the domains that used the original certificate.