Hiding SANs in the cert

Hi, I obtained the cert through DNS validation in cert-manager on Kubernetes Cluster. The cert for a couple of domains. Is it possible to hide in SANs the list of the domains in the cert? Maybe someone have simular expirience

3 Likes

Hi @Alex331,

It is not possible to "hide" domains from SANs list in certificate. The only way to achieve this is to obtain and use separate certs for separate domains.

7 Likes

Doing something like this will prevent the SANs of one cert being associated with the other domains on the certificate. However, please remember that all Let's Encrypt certificates are submitted to certificate transparency logs and the domain names will are publicly logged

Certificate Transparency (CT) Logs - Let's Encrypt

7 Likes

First, hello @Alex331, and welcome to the LE community forum :slight_smile:

The question seems counterintuitive (to the desired result).
Given: SANs define the names being served by the cert.
If you hide a name from the SAN, it can't be believed when being served via that cert.
I suppose one could propose some method to obfuscate the SAN list, so that only by having a name from the list can the list itself be revealed or individual entry be validated. But we are many revs away from anything even remotely close to that (think: many years from now in a galaxy far far away...).

So, my question is: What exactly do you mean or (better yet) want to do?

4 Likes

If you want a cert that doesn't show your FQDN and but can cover its' use, then try a wildcard cert.
A cert that covers *.your-domain.com will match a bazillion names without ever revealing their existence.

Bazallion in this case is greater than 38^(61 - count.of.chars(.your-domain.com)) * 2^36.

6 Likes

count.of.chars is a subdomain, so that needs a new wildcard per level :slight_smile:

6 Likes

That's just my English for: count the characters in {whatever comes next}
It's just part of the formula.
Some might use:
len(variable or integer or expression)
[length of]

In review, the actual number is likely twice as big as that formula.

5 Likes

Yeah I was just trolling :slight_smile:

5 Likes

thank you! My aim is quite simple I want to hide SANs from users. If one of them use sub.domain.com he shouldn't see companyname.domain.com in the cert. But looks like I have only one approach - to create separate certs for each domain. It's could be good, but it's more than 30 additional requests to LE.

2 Likes

Or just use wildcard certificates...

3 Likes

as it was mentioned before, it could be a bit harder 'cause each subdomain of domain requires it's own wildcard, but you're right it is the option too

1 Like

You mean currently the SAN includes hostnames such as mail.user.example.com and that would require a wildcard hostname like *.user.example.com?

I still fail to grasp why it would be such an issue for the user to be able to see companyname.example.com though..

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.