What is the ideal number of domains that should be added in a single certificate? As it is mentioned at lot of places that adding 100 domains (limit) to one certificate could slow down the response time. Is 50 domains per certificate OK?
Large number of SAN entries may (and probably will) increase the duration of the issuance of the certificate, because CA is gonna have to make a lot of requests to verify listed domains.
But it shouldn’t make any tangible time difference during the usage of the certificate(s).
Hi @chanchal,
The certificate has to be sent to the user with every HTTPS session setup. It is a file that starts around 1300 bytes and grows as you add more domain names. So, in principle this can increase the number of TCP roundtrips required during the session establishment. I would suggest doing some practical tests in your own environment to see what kind of impact you see.
2 Likes
this is a theoretical exercise
while yes a certificate with 1 SAN vs 50 SANs vs 100 SANs is different size. I would say that the difference on performance would be negligible
a general google would show you other factors such as key size in certificates, TLS cipher selection, web server selection, compression and protocols (HTTP2 for example) would impact performance more than the number of SANs
https://blog.nytsoi.net/2015/11/02/nginx-https-performance
Andrei
Supposedly, it’s a notable performance problem if a large certificate causes the TLS handshake to exceed the TCP connection’s initial congestion window size. I’m not sure if anyone has applied much science to the problem (and increasing the initcwnd size to far larger than any TLS handshake is a popular performance optimization anyway).
Certainly large certificates are somewhat popular, even for large services you’d expect to be performance sensitive (for example, Cloudflare, and almost all Google sites).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.