Limit problem: Certificates per Registered Domain

Hi there,

I need to, at least two times, generate certificates for 100 and more subdomains.

I am aware that I could generate several certificates containing 100 subdomains (according to the limit) and this could be done 20 times a week. But: One could simply inspect the certificate and see all the domains. Sadly, this is not acceptable.

Is there any solution (except waiting till January for wildcard-certificates or waiting for several weeks for the generation)?

Cheers,
Max

Hi @mboehm,

If these certificates are for separate customers and not just for different aspects of one company’s online presence, then you can submit the rate limit adjustment request form, explaining why the existing rate limits are a problem for you

You should be aware that the people who deal with these requests are rather overloaded and it may take several weeks for your request to be considered, though it should still be considered sooner than the wildcard availability.

Currently this is the only solution. In most cases the possibility of people seeing that domains are hosted by the same infrastructure has not been regarded as a serious problem (for example, many CDNs regularly issue certificates covering dozens of random domains of different customers, and indeed any visitor could discover that these customers are being hosted by the same CDN). I think Let’s Encrypt staff are willing to consider individual requests from people who regard this as a problem for various reasons, but the infrastructure, service, and rate limits haven’t been designed around this case.

Please also bear in mind that all of the certificates are public

https://crt.sh/?Identity=%&iCAID=16418

so, without wildcards, it will also always be possible for people to use the certificates to learn about which subdomains exist.

2 Likes

@schoen, Thank you very much for your detailed answer.

Submitting the form does not make sense for us as we do not need to generate more than 500 subdomains

Please also bear in mind that all of the certificates are public

I think that’s the point I have missed. Basically, it makes no difference because it’s public anyways. So either we decide to buy a certificate (not that expensive anymore) or we just need to live with it (I think we’ll decide for the second option :slight_smile: )

Note that many pay-for certificate authorities already log to Certificate Transparency as well, and all of them will be required to do so by Google Chrome no later than April 2018.

So purchasing a certificate from a commercial CA won’t help you in that regard.

Part of the industry is pushing back against this a bit (to try to find some option to obscure or redact portions of subdomains), but Google is not very happy with that idea. So the clearest way to hide subdomains in the certificate system as of Google’s deadline would still be to use wildcard certificates.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.