How to create a SAN certificate in nginx for sub-domains?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version): ngnix 1.18

The operating system my web server runs on is (include version): ubuntu 20.04.1

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

i do not know the commands to make a SAN cert for 4 subdomains

my sequence to make SSL are

  1. cd /etc/nginx/sites-available

  2. in sites-available
    i create a file
    the file looks like this

server {
listen 80;
listen [::]:80;


return 301$request_uri;


server {
listen 80;
listen [::]:80;


root /var/www/;
client_max_body_size 100m;

access_log /var/log/nginx/;
error_log /var/log/nginx/;

index index.php index.html;

location ~ \.php$ {
    try_files $uri $uri/ /index.php?$args;
    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;


  1. cd /etc/nginx/sites-enabled/
    i link things
    ln -sf /etc/nginx/sites-available/

  2. certbot --nginx

You could add each of those domains in the relevant server_name in your configuration and Certbot would pick them up when you ran certbot --nginx.

You could alternatively ask Certbot to create a certificate with a certain list of domains:

certbot --nginx -d -d -d -d
1 Like

Thank you for your response.
Are your instructions above for a wildcard or SAN?
Will I need to do anything on the DNS side besides A Record with the subdomain name?

1 Like

That's for a SAN certificate, yes.

For a wildcard you would do -d "*". Wildcards have some other complications: you have to use the DNS challenge. It's much easier and recommended to stick to SAN certificates if you can.

Nothing else. All you need is for the A record of each subdomain to point to your nginx server.

1 Like

Thank you very much for your help.

1 Like

After the certificates are made, what happens if in the future, I add a new subdomain
What command would I run for the new subdomain?

One way is to first find your Certificate Name by running:

certbot certificates

Then run the command you originally used, but:

  • Include the new subdomain in the list of domains, and
  • Include the Certificate Name you found using --cert-name, so that Certbot knows you want to update the existing certificate

That might look something like:

certbot --nginx --cert-name \
-d -d -d -d \

The only things that changed are --cert-name and -d

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.