Limits in Public Suffixes List


I would to clarify about the way how Let’s Encrypt interacts with public domains that belongs to Public Suffixes List.
If I let’s say have my enterprise domain and I would like to have shared subdomain for my customers, for example.
Then my customers are running their own apps by urls
The domain is added to PSL respectively so they are considered as independent enteties.
Basically the question is:
Will my customers be able to issue their own LE certificates for their websites (like if the number of issued certificates have already reached its limit for the base domain ?
Thank you in advance!

1 Like

I’m not quite sure how your base domain would affect, but from the rate limit determination of *, each of the subdomains are considered as a “new domain” for rate limit purpose. (So you can imagine your would effectively become something similar to a domain extension)

Example:’s rate limit will not appear on 2…

However, if these apps are hosted on your server, maybe you want to consider getting a wildcard certificate for all subdomains of


Yes, they will each have their own rate limits.

There is something you need to keep in mind, though: you won’t be able to get a certificate for – it would be just like asking for a certificate for .com. I don’t know how this applies to

So you should probably register a second domain and put that one in the PSL.


@9peppe Thank you for your replies here, they helped me also. I just wanted to point out that according to this Wildcard certificates and Public Suffix List you can issue a LE certificate for a domain that’s in the private section of the Public Suffix List, just not for one in the ICANN section (.com, .org, etc.). So, unless something has changed since @jsha’s reply in that post, @jacky.jones should be able to get a certificate for

1 Like