A large number of domains


#1

Hello!
Please tell me if I can with about 100 servers to get a 100,000 certificates for different domains?


#2

And if I can order certificates for subdomains separately?


#3

Let’s Encrypt currently enforces the following rate limits:

“Certificates per Domain” is defined as “Top Level Domain + Domain (a ‘registered domain’)”, so certificates for www.example.com, foo.example.com etc. would all count towards the rate limit of example.com.

Let’s Encrypt supports SAN certificates (i.e. ones with multiple domains or multiple subdomains) with up to 100 DNS names per certificate. You can also generate one certificate per domain (or subdomain) if you wish to.

It should be noted that Let’s Encrypt has issued about 200,000 certificates total so far, so this would be a significant increase in load if you’re planning to get those certificates issued in a small window of time.


#4

So as a practical maximum, given the assumptions

  • You can guarantee that you won’t need to add any new subdomains unexpectedly whatsoever (a rather optimistic assumption, the most obvious use cases for thousands of subdomains also involve adding/removing them at will)
  • With 90-day certificates, you want to renew them after 60 days, or sooner–rounding down to 8 weeks, 56 days
  • You can at most fit 100 subdomains in a single certificate, via SAN

Then you could, with carefully staggered certificate renewals, maintain up to 51008 = 4000 subdomains under a single domain at most, given current rate limits. And for the first cycle, when getting the initial certificates, it would take the full 8 weeks before you have certificates for every subdomain.

If you put off certificate renewal to every 84 days (12 weeks), you could support 6000 subdomains per domain, but that would be pushing the absolute current limits.


#5

Yes, although not sure why anyone would need 4000 subdomains … and if you did it may be more practical to use a provider that did provide wildcard certificates.


#6

indeed a wildcard ssl certificate would definitely be better for that about of subdomains !


#7

Well, there are cases where SANs or wildcards are not desireable.

Consider, for instance, a managed hosting company. They may have thousands of customers set up on subdomains, but with customers having admin access to their machines, it would be insecure to share a private key between them. It seems this would be an ideal opportunity for letsencrypt to step in.