Looking for explanation for using wildcard on two servers

At the moment I am using a wildcard certificate on a server which I renew with the bot

This server is called: x.mydom.de []
Everything is going well.

Now I have another cloud server. Own Ip and A record.
This server is called: y.mydom.de [321.321.321.455]

I would now like to have the certificate renewed on x.mydom.de and then transferred to y.mydom.de.

What should I do,
especially under the condition that I still do
want to operate many other servers (1000) with the certificate,

to get the certificates on the servers
A- to use
B- to update after a renew.

C- (possibly done by A)
How do I transfer the existing certificate from x.mydom.de to y.mydom.de for the first time when creating the server.

Welcome to the community @joob !

The certs are just files so use any secure file transfer method you prefer. I would copy all the files even if you do not use all of them today - cert.pem, chain.pem, fullchain.pem, and privkey.pem

Another way is to have one server manage (issue, renew) the certs and store them in a secure secrets location. Then, all your other (1000) servers can get them from there when they start up and periodically like daily.

For all methods, make sure the file transfer is secure so you do not expose your private key to outsiders.


Is that IPv5+ ?


If you can automate issuing certs via DNS-01, then each server can have its' own cert(s).

I hope you are using wildcard certs wherever possible.


Thanks for the help.

The server x.mydom.de would then be my server for certificate management, which already works. From this I would then transfer the certificates to the other servers.

For this I would use a script and start it in a CronJob.
Is it correct that way ?

Which file transfer program would you recommend?
Can problems arise when overwriting the Cert files when distributing?

Yes, I use a wildcard certificate.

The IPs are not valid, they should only show that the server has its own IP

@joob I know little about your infrastructure so difficult to comment on general server admin. And, even if I did know that it is beyond the scope of this forum. There are many places to learn different strategies for large scale server admin.

Yes, make sure the set of cert files copy cleanly before using. Numerous ways to do this.

You should review this topic too:


Rudy tell joke - was funny :slight_smile:


Yes, I think we can all agree.
As with:

Also equally invalid.

1 Like

Ok, first of all thanks for the quick help.

I then look around for solutions for copying / synchronizing the files.

1 Like

Don't discount my suggestion on obtaining certs individually (via DNS-01 - as required for wildcards).
Simply because I used (poor) humor - LOL

I can't see how having two equal certs, or two identical certs, can be that big of an issue in practice.

1 Like

Everything ok, this is my first time writing here and I didn't want to annoy anyone.

I don't think I understood your suggestion.
If I do it the way Mike suggests, I will have the wildcard certificate and it will always be the same on all servers.

If I understand you correctly, you are saying that I should run a CertBot on each server and use a separate certificate there.

I can see that I have a lot of problems with my plan that I haven't solved yet. I also create dependencies and possibly a security problem for all servers if the PrivateKey falls into the wrong hands.

Did I understand you correctly and you suggest not applying for a wildcard certificate, but a separate one for each subdomain. In that context, I've heard that there are restrictions there that could cause me problems.

Is that right ?

I guess not.

I'm saying that if you are able to get a wildcard cert (on server A), then you can repeat that exact same setup and get another similar wildcard (on server X).
Where A and X never have to speak with one another (about certs).

Yes, there are several different rate limits that must always be obeyed.
See: Rate Limits - Let's Encrypt (letsencrypt.org)
In your situation, how many individual systems would need to hold a similar cert?

This part is confusing to me:

All servers will need both parts of their certs (public and private) to encrypt and decrypt.
So, there isn't a (simple) way to NOT have a private key and decrypt.
If you use the same exact cert on all servers, then they will all have the same private key.
If you generate individual certs, then they have different private keys.

1 Like

well if they all have certificate that cover all the domains it doesn't really matter if which one is compromised. - they will have certificate for *.domain.com

want to operate many other servers (1000) with the certificate,

Sounds like OP want to have 1000s of servers with same certificate? I'd ask if it really need wildcard for all of that servers or he want to share certificate because got hit by 50 certs per base domain limit:- maybe rate limit increase is what should be done?

1 Like

OK I think I read 1000 as the number of certs.
But 1000 is the number of servers.
Yes, that is a much bigger problem!

I think that may be the best thing in the end.
Until then, they may have to share certs.

1 Like

make a CSRand do a key deploy one time and keep that key for certificate renewals with --csr option? (does LE care about lifetime or expiration of CSR?) now certificate is public so you can just post it on github or something

1 Like

No, the same CSR can be used over and over.
(until it can't - like if the private key is found in the wild and banned).

1 Like

I think I have to explain why I wrote 1000.

I have a Java program that runs on the customer servers and uses a header server for various functions.

The header is responsible for the data exchange between the customer servers and for verification. When exchanging data, various data are exchanged, but usually files (multimedia, zips ...) which are then processed in the customer system. The data that are exchanged are stored on the customer's own server until they are released and are downloaded from the customer's server when requested, directly to the requesting customer's server.

The customers only work on your server.

I wanted to simplify the construction so that all servers have the same domain and only the subdomain changes. Hence the wildcard certificate.

In this context, of course, I have to plan something that is not subject to any restrictions with regard to the customer servers.

That is the context.

Correction : The Javaprogramm runs on the localmachine of the customer and use customer server.

then it forbids shearing private key between them, same reason why drmlocal.cisco.com revoked: fixed key shiped to customer will be considered as compromised: