Is a certificate needed for each single subdomain?


#1

Hello!

I have website (hosted externally) for which NO certificate was issued so far.
Furthermore I have several subdomains hosted locally which are/should be
reachable via internet and which I want to secure with a certificate.

Now the question:

What do I have to use as domain name(s) when requesting the certificate?

  1. Only domain name? ‘my-webaddress.net
  2. Only subdomains ‘www.my-webaddress.net’, ‘git.my-webaddress.net’, ‘ilo.my-webaddress.net’ etc.
  3. Both 1. + 2.?

#2

If you just want the subdomains but not the main site then option 2 is the correct one. If you want the main as well then go with option 3 or get a separate cert for that.


#3

Thanks for your answer.

Am I right that there’s no kind of wildcard for subdomains (to come)?

In other words: I have to specifiy all planned subdomains now
and (in case) I will host a new subdomain I have to revoke and create a new certificate
including this new subdomain!?


#4

Hi,

Yes, adding a new subdomain involves getting a new certificate (as with any CA).
However, since the whole process is automated, I found it takes barely a few minutes to add a subdomain (and I probably spend more time modifying the webserver & DNS configuration).


#5

There are no plans right now, but it hasn’t been ruled out.

Yes, you’ll need to enumerate all domains. It’s not necessary to revoke the certificate before you create a new one (that’s something you only want to do if your private key is stolen). Simply issue a new certificate with the additional domains added. You might want to use --expand when doing that, otherwise the client will create a new certificate lineage (i.e. create a new directory in /etc/letsencrypt/live).