Adding new sub-domains to certificate


#1

Hello,
Our company has a site with several subdomains . We want to get the certificates for these sites . But as a wildcard support is not carried out, what will happen if we will have another new sub-domain? How to add a new sub-domain to the previously received ?

Thanks


Certificates for domains behind firewall / intermediate CA
#2

Hi,

It depends really how many sub-domains you have.

Personally I have each sub-domain on a separate certificate. if you have less than about 50 sub-domains this works very well. When you want to add a new site, you simply add a new cert for that site.

If you have several hundred sub-domains then you may want to add several ( up to 100) as alternate names on a single certificate. To add an extra one you you simply “expand” that certificate to include the extra name ( up to 100).


#3

We have> 50 subdomains. But we can not know the name of the next subdomain and their number. We issue a new subdomain for our new customers. We are considering to obtain a certificate for the domain of ~ 100.

We are interested in what happens when we have a new customer, and we will need to add a new domain name in the certificate, if, for example, it already has 30 domains. To be issued a new certificate or somehow information will be updated. After all, if the certificate will be new, it will not be valid for all customers (previous 30), who worked previously. Or we do not understand right?


#4

If you have a certificate with currently 61 sub-domains on it, and you have a new customer (xyz) then you would need to “expand” the certificate to include xyz. The certificate would then be valid for 62 sub-domains.

In reality, this is a new certificate with all 62 names on it, so it will be valid for all the original customers as well as the new customer.

If you have large numbers, it may be that a purchased wild-card certificate is the best option for you. can you provide a little more background to your setup, the numbers involved, how frequently they change etc ?


#5

How works limits after updating of the certificate? After the certificate was updated, in a week I can receive 4 more certificates or also 5?


#6

For certificates related to a single domain ( as I understand yours are - i.e. they will all be related to sub-domains of the same domain), the current limit is 20 certificates per week ( that is a rolling 7 day period )


#7

But how does thet limition works?
Certificates/FQDNset limits how many certificates can be issued containing the exact same set of Fully Qualified Domain Names. This is limited to 5 certificates per FQDN set per week. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names, for instance, by adding [blog.example.com], you would be able to request additional certificates up to the limit set by Certificates/Domain.


#8

You are adding additional names ( in your example blog.example.com ) so yes, that is then no longer exactly the same set of FQDNs so it is the 20 certificates / domain limit.


#9

https://letsencrypt.org/docs/rate-limits/

Certificates/Domain limits how many certificates can be issued that contain a single registered domain. This is limited to 20 certificates per domain per week. Exception: When you request a certificate with the same exact set of FQDNs as previously-issued certificate, this rate limit does not apply, but the one below does.

Certificates/FQDNset limits how many certificates can be issued containing the exact same set of Fully Qualified Domain Names. This is limited to 5 certificates per FQDN set per week. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names, for instance, by adding [blog.example.com], you would be able to request additional certificates up to the limit set by Certificates/Domain.


#10

Since you are adding names to the certificate - it is not exactly the same set of FQDN - so it is not the “limited to 5 certificates per FQDN set per week” which is relevant. This limit is there to stop people who (usually mistakenly) force a renewal of their certificate every day for example.

You have a different set of FQDNs. in certificate 1 it will be ( www.example.com, example.com ) and in certificate 2 they will be ( www.example.com, example.com, blog.example.com ) … hence they are different and the “limited to 20 certificates per domain per week” applies.


#11

I am having same issue with our server actually as we are free web hosting provider most of user based on sub-domains they hardly use top level TDL. But now we explained how many Free SSL certificates limited under sub-domains in our blog.


#12

You just make a new cert for the hostname. It’s not a (sub)domain name, it’s a host name.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.