Large Integrators' experience with Let's Encrypt

Sorry – to clarify, was wondering about the revocation process for multi-domain certs, where an arbitrary third party would have control of one of the domains on the certificate, but not all of them.

Even if there is no automated way to ask for the revocation, you can still directly contact Let’s Encrypt to ask for the revocation of such certificate.

We don’t currently have plans to automate revocation by proving control of a single name on a multi-SAN certificate. However, if someone who owns one of the domain names reaches out to us and tells us a certificate for their domain name is no longer accurate (e.g. due to transfer) we will have to manually revoke it.

Incidentally, we’ve found that integrators who try to squeeze the maximum number of names onto each certificate have problems. For instance, one domain on a certificate could expire, or point their DNS at a different provider, or add a CAA record that restricts issuance. It’s probably better, if you’re designing a new integration, to either use one name per cert, or group together only related names, like www.example.com and example.com.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.