How many certificate i can generate on same server?


#1

Hello I have almost 200 domains to virtually host on same server.
so my question is "how much certificate I can generate on same same server ? "


#2

You can find all the rate limits here:

The largest factor would be if you are going to combine domains into one cert.
You may be able to take advantage of the 100 names limit per cert to help ease your concerns.
Also consider using the same LE account (if possible) to help simplify things.

But even if you can’t combine the names into one cert and use separate accounts for each domain…
And assuming even if the domains are related, you should be able to get 200 certs without much trouble over a few days or weeks.


#3

You can get certificates for 200 domains in a minute or two if you’re a lightning fast typist and your computer doesn’t take too long to generate RSA keys.

The rate limits are mainly per-domain; getting 2 certificates with 100 names each, or a couple hundred certificates for 200 different domains, aren’t an issue.


#4

Thanks for quick response, my case has 200 cross domains (no sub domains) like example1.com, example2.com, example3.com… example200.com and same IP address

  1. Can I use cross domains in into one cert, meaning one cert for exampl1.com … example100.com and example101.com … in example200.com in second cert?

2.How I will able to renew all, since all of them expire after 90 days :slight_smile:

If there is other solution please reply.

Thanks,
Ganesh


#5

One cert can include up to 100 names, from up to 100 domains. So you can do it in two certs.

If you want to include more names – like www.example200.com – you would need more certificates.

It depends on what ACME client you use and how you configure it. Automated renewal may be extremely easy to set up, or renewal may be a manual process similar to how you created the certificates originally.


#6

Well Thanks, I will give it a try and get back to you if a query. thanks again :slight_smile:


#7

One thing that’s worth thinking about is whether you control all of these domains or whether some of them belong to other people and can potentially be taken away. If you know that all of the domains will still work when it’s time for renewal, that’s great! If some of them might go away or break unexpectedly, this might be a good incentive to think about certificate issuance plans that keep the different names on separate certificates, so that the loss of one domain doesn’t affect your ability to renew a certificate that also covers others.


#8


Hello, you can read this.
Your needs are fully satisfied.


#9

This is good point. all domains will be maintained by us only, but over the time we might get ride of some domains ( wont continue using or renew ), will it be problematic to renew the cert ?
can skip expired domains ?


#10

I will be using Certbot.


#11

If you create a certificate with 100 domainnames, later skip two domains: So the new certificate is new, not renew. So I would check if one certificate per domain is an opinion.

I don’t know what Certbot is doing if you want to renew the 100-domains-certificate and two domains are missing. So the renew may fail, you don’t get a notice - and you will hit a limit.


#12

Normally it will fail if any domains within the certificate fail to renew. There is an option to change this behavior called --allow-subset-of-names, but it’s dangerous because it doesn’t have any way to distinguish between permanent and temporary failures. With --allow-subset-of-names, the certificate will be renewed with whichever names happen to succeed at renewal time (so you could lose some of your certificate’s coverage if there’s a temporary problem).


#13

So while creating single cert for multiple cross domains, i will have to make sure non of it expires before renewal (to avoid failure).

is there any way I can remove a expired domainsbefore renewing cert ?


#14

Yes, re-issue the certificate for the appropriate new set of domains. With Certbot you can do this with --cert-name to specify the certificate and then a complete list of -d options for all of the domains that should be included in the new certificate.


#15

Thank you :slight_smile:


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.