Certificate for same short domain in multiple machines

Other browsers are also heading in that direction (though aren't as far as Chrome yet I don't think), but I suspect https will continue to become the default in more and more places.

4 Likes

The only motivation is user experience. Trading myapp.facility1.customer1.com for abc123.myapp.com is not much of a gain.

My app name is 11 characters long, the facility name is whatever the customer calls its facility, and then the main domain is the customer domain name. So myapp123456.copenhagen.industry-xyz.com is representative of the length of a real canonical FQDN. myapp123456.app is just simpler, especially for employees that move between facilities.

This feels like a dead end:

  • I must use certificates because I cannot assume web browsers will let all my users use http://myapp
  • I cannot renew the certificate in-location because I will quickly reach the main limit Certificates per Registered Domain (50 per week). I could renew in a single server and find a way to securely deploy the same pair of certificate + private key to all my instances.
  • But even having the certificate + private key pair for the same domain myapp on different servers from different companies seems problematic. If one server is compromised in a facility of customer 1, then the attacker would be greatly helped in creating a man-in-the-middle (MITM) attack in a facility of customer 2.

Perhaps there are no other good way than to stick with the longer canonical FQDN as @webprofusion first pointed out.

3 Likes

You can always request a rate limit exemption.

I don't know what numbers you're targeting, but I don't think LE would have a problem with a few hundreds of certs. Or thousands even.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.