Automate CNAME tenants pointing to my server

I have a SaaS site. I have "tenants" that set up a CNAME pointing to a subdomain I host.

I have a few questions based on this scenario.

Is it possible to create a certificate for each "tenant" subdomain? Ex. every "tenant" points to with whatever subdomain they want from their site; let's say When they signup for an account on and enter their domain they'll be using I'd like to automate adding a certificate. I see I can extend my certificate (and I was able to manually do this) but I'd like them to have their own.

I know a site called booqable does this and their tenants have the certificate name in their subdomain and the SAN (see screenshot below). When I added their subdomain to my cert it lists all the subdomain names in the SAN and I don't want that.

This site in the screenshot booqable is hosting and the rental company has a CNAME set up pointing to a subdomain they have set up.

I am assuming this is possible so when a user adds what subdomain they're using in a form on their admin panel is there a way to create them their own certificate with the domain they input?

Thank you.

Hi @chad

that's possible and not a problem. CNAME ->

so checkout... has the ip of custom..., so if you have root access of, you can create

  • one certificate with
  • one certificate with and

If you use (1), you shouldn't have problems with rate limits (max. 300 orders per 3 hours). (2) is a little bit difficult.


I do have root access. So, I'd be able to create one certificate on my server for each tenant? your (1) and (2) are the two bullets? one or the other? Also, if I do (2) I create only one certificate per tenant with two domains (custom and checkout)?


Correct again.

Correct yet again.You would use (2) if you want tenants to allow direct access to their subdomains.

You have a lot of different options.

My own service - I don't create, instead, I use a wildcard *, so some customercompany subdomain names are hidden.

And there are some additional certificates: CNAME -> + -> same A record as

But CNAME is easier.

I had similar needs a few years ago.

The issue is not in obtaining a certificate - your clients can either CNAME their domain onto your domain, or (less advised, point an IP address), and then you can successfully validate the HTTP-01 challenges.

The big issue is integrating their Certificates into your webserver. Small deployments can often do something with a filesystem. We had a very large scalable need in terms of domains and servers, so I ended up writing a custom ACME client and a plugin for OpenResty (nginx fork) to dynamically load the right certificate.

There are some webservers, like caddy, which offer an "autocert" functionality. If there is no SSL cert available for the domain, they will do the whole ACME process as-needed. I don't have any experience with caddy so can't advise on how to share/persist certs across servers, but the maintainer is active on this forum and may pop up.

Just to be clear... is not a concern, as a wildcard for * handles that. The problem is coordinating the rollout of certificates onto your webserver.

For those that don't know, paas = "platform as a service".

Are you able to point me in the direction of creating and using additional certificates? I was only able to find re-creating certs. As you know, I want to create additional certs. Also, Booqable doesn't seem to require the tenant to verify anything (add a DNS record to verify their domain). How are they doing that part do you think? Thank you for all the time so far!

Yea... I have a wildcard for tenants using my domain (instead of CNAME). I just need their domain to have a cert without using my main cert for my paas.

I don't understand your question.

That's simple a certificate with one domain name, nothing else. Select a client and create a certificate.

No idea how that system works. But if there is a CNAME, you can use simple http validation, nothing else.

I seems that when I run the command for a new certificate:


It only uses that certificate so when I visit another tenant that I ran the same command but with their subdomain, it no longer works on the first tenant. I hope that made since.

That's a problem of your webserver configuration in combination with some limits of Certbot (checks the vHost configuration).

You have to find a solution. Or use another client.

There is no general solution. Certbot needs vHosts. Or use --webroot and certonly.

Certbot - and pretty much every system that installs LetsEncrypt certificates into servers - won't be able to help you here. This is a very advanced topic.

Certbot, and similar installation utilities, are looking for a (virtual) host that matches the domains in the certificate. This means you'd need to have a dedicated apache host for every client domain.

You could POSSIBLY pull this off by having apache read a directory of vhosts, like...

Include /usr/local/apache2/conf/vhosts/*.conf

and then creating a new vhost file in there for each client as needed. this is not fun to automate, not very scalable, and quite fragile.

Also, you don't need or want to include in these certs. You just want the certs to contain

I see. Yea. I'd want to do it correct.
You mentioned you are doing it? You use a service?

I wrote a client and we open sourced it. It really targets advanced use cases.

You could very-likely just run in front of Apache. I have heard there are ways to coordinate sharing certs across different servers, but I don't know much about that.

I think Caddy was the first autocert system (

You just sit it in front of apache, and it generates the certificates for you as needed. You won't have to enroll the customer's domain into it or anything.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.