In general - yes those are the main choices.
- If you have different applications administered by different people who can't be trusted with a shared key - you might want to have separate certificates with different keys for them.
- If everyone has the same level of trust for a group of hosts, but can't be trusted with other hosts under the same domain - a single certificate with multiple SAN records.
- If all hosts have highest level of trust - use wildcard certificate.
There are more reasons and use cases for other choices:
4. You could have multiple certificates for each of the above options using different algorithms for broader compatibility - i.e. a server presenting dual certificates one ECDSA and one RSA.
5. You could have different certificates to cater for different server capabilities - e.g. a certificate with Must Staple flag for servers that support OCSP Stapling and one without for servers that don't support it - even for servers with the same hostname, but listening on different ports/services.
You are not really constrained in your approach:
- Same wildcard or SAN certificate could be re-used across different hosts.
- Different certificates with identical CN and SAN records (including wildcards) but with different keys could be used on the same host.
- Certificates with the same key, but different CN and SAN records could be used across different hosts.
It all comes down to trust:
- Trust over which hosts the certificate controls.
- Trust over who / what has access to certificate keys (and therefore controls the certificate and its hosts).
- Trust over host storing certificate keys not being compromised.
Wildcard certs require DNS-01 challenge verification, so if you don't control your DNS to the point of being able to automate DNS-01 - you will have to stick with other options.
A single certificate could cover multiple domains such as
example.net - same principle applies - it's all about trust.
You may wish to use the same certificate to simplify operations, or you may wish to use different certificates to minimise impact of compromise of one of the hosts.
If you want to use the same SAN or wildcard certificate across multiple hosts - you would need to consider the mechanism for distribution of the certificate between them on renewal and reload of running services.
If this can't be easily done - it could be easier for hosts to manage procurement of their own certificates themselves.
But it is very easy when all hostnames are hosted on the same box.