More subdomains

Hello, let's see if someone could help me, I have a Let's Encrypts certificate but it only gives me 100 subdomains and I need 189, I have the page hosted at OVH, can someone tell me how I can reach 189 with a single certificate? Thank you very much

Not through Let's Encrypt, and I'm guessing it's tricky at best with other CAs as well. When you get that many, it's generally easier on everyone (your servers, your bandwidth, and generally trying to maintain it) to use different certificates for different domain names.


ZeroSSL offers more than 100 SAN entries for free using their ACME API. See ACME CA Comparison - Posh-ACME. You can find more info about ZeroSSLs ACME service at ACME Documentation - ZeroSSL

I've just checked and can confirm: I'm now the proud owner of a 9.5 kB certificate containing 200 SAN entries :rofl:


Handshake times increase significantly though once you overdo it with SANs:

1000 SANs in a single cert; Currently expired so verification tests are difficult. Most clients do take their time here, especially if they have to search through the SAN-list for the name they are looking for.

10000 SANs. This certificate is so big (~ 200 KB in DER) that handshakes fail on most TLS implementations. The TLS handshake wire data looks correct from my point of view*, but neither Wireshark nor OpenSSL clients are able to correctly reassemble the fragemented certificate chain. There are some reports that Safari (used to be) able to handle this, but never had the chance to test.

So, back to the real world: Too many SANs is not going to help you, but put you in more pain. You should seriously consider splitting up your setup into multiple certificates. Performance and client compatibility will thank you.

*I can see fragmented TLS records for the certificate message. A single TLS record can never exceed 16 KiB, so certificates of this size have to be fragmented. The fragments look complete to me, but so far I haven't found a client that is able to reassemble it. This may indicate that the data is corrupted somewhere (due to buffer limits perhaps), but that's difficult to see without a working protocol dissector.


Hi @Gloria, and welcome to the LE community forum :slight_smile:

Since you mention "subdomains" (without any other description/explantation)...
I will shoot for the one and done, with:
Why not get a wildcard cert?
It can cover a ton of subdomains [if each digital kb could be weighed].


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.