Is there a maximum number of wildcards in single certificate?

Question is in the title. From what I've read, Let's Encrypt does allow you to create certificates with multiple wildcards (i.e., *.example.com, *.example.co.uk, *.example.nz).

Is there a limit to the number of wildcard domains a single certificate has?

3 Likes

Hi @Porter

there is a general limit: Max. 100 domain names per certificate. So you can't create a certificate with 101 wildcard domain names.

But the idea sounds terrible. Wildcard certificates are critical, so normally you should have only two domain names per certificate - the * and the main domain.

4 Likes

Thank you for the response.

Could you help me understand better why the idea sounds terrible?

2 Likes

Please learn some fundamental basics:

A certificate with more then one wildcard is a violation of that principle.

4 Likes

which I affectionately call an A&W (apex and wildcard) certificate. :grin:

(For those not from the US, the aforementioned letters with the ampersand form the name of a brand of root beer.)

1 Like

My rule of thumb for when a wildcard certificate is appropriate: Is there a DNS wildcard too? For instance, if abc1234.example.com and def456.example.com, and foobar.example.com all resolve to the same IP address, it's totally reasonable to use a wildcard certificate. If there are some subdomains that resolve to a different IP address, it's not a good idea to use a wildcard, because someone could turn a compromise of one host (the one with the wildcard certificate) into an attack on other hosts (by MITMing their traffic).

That said, there's another problem with using the maximum number of hostnames on a single certificate: If one of those hostnames breaks, renewal for the whole thing will fail. Figuring out which hostnames failed and reissuing without them can be kind of complicated. I would recommend maxing out your certificates at 25 hostnames.

3 Likes

I'm typically an advocate for minimalism when it comes to domain names included in a single certificate for the reason that JuergenAuer stated and reinforced by what jsha has described.

That said, if you are using certbot, you can use --allow-subset-of-names in situations where you do want to include multiple domain names in a single certificate and some of them are not functional at the time for whatever reason. This can be a useful tool to sway you away from needing to use wildcard certificates.

1 Like