Is a certificate needed for each single subdomain?


I have website (hosted externally) for which NO certificate was issued so far.
Furthermore I have several subdomains hosted locally which are/should be
reachable via internet and which I want to secure with a certificate.

Now the question:

What do I have to use as domain name(s) when requesting the certificate?

  1. Only domain name? ‘
  2. Only subdomains ‘’, ‘’, ‘’ etc.
  3. Both 1. + 2.?

If you just want the subdomains but not the main site then option 2 is the correct one. If you want the main as well then go with option 3 or get a separate cert for that.

Thanks for your answer.

Am I right that there’s no kind of wildcard for subdomains (to come)?

In other words: I have to specifiy all planned subdomains now
and (in case) I will host a new subdomain I have to revoke and create a new certificate
including this new subdomain!?


Yes, adding a new subdomain involves getting a new certificate (as with any CA).
However, since the whole process is automated, I found it takes barely a few minutes to add a subdomain (and I probably spend more time modifying the webserver & DNS configuration).

There are no plans right now, but it hasn't been ruled out.

Yes, you'll need to enumerate all domains. It's not necessary to revoke the certificate before you create a new one (that's something you only want to do if your private key is stolen). Simply issue a new certificate with the additional domains added. You might want to use --expand when doing that, otherwise the client will create a new certificate lineage (i.e. create a new directory in /etc/letsencrypt/live).