Multi domains on server, one cert

Hi. Can someone point me right documentation. I can’t find it… sorry for silly question.
But I have a server with multiple domain.
And when I issued certificates by certbot regular way it works.
But when I click on the certificate in the browser I can see all domains.
As I understand it means one certificate for all domains. This is very unwanted,
those domain is unrelated and shouldn’t be expose on public together like this.
How I can issue separate certificates for each domain and combine only for subdomains?

1 Like

try to answer the questions you deleted:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

this is not about a problem. it is just a general question.

Hi @megaspy

I don’t understand your question.

If you have created one certificate with a lot of domain names, you should know how to create a lot of certificates only with (sample) domain.com + www.domain.com + one-subdomain.domain.com.

Then you have a lot of separated certificates instead of one big certificate.

So your general question isn’t a real problem.

But to create such different certificates, you need a correct list of vHosts. So it’s a configuration specific question.

2 Likes

as I said it is probably stupid question and I should have researched myself.

So what I did. I just generated certificates by this:
sudo certbot --apache

and it works.
just after a while I checked my certificate on browser and noticed I could see all domain.
not just subdomains… there are all domains from the server.
I don’t want the domains to be seen together on public like this.

1 Like

So you do not want all of your domains to be seen in the certificate? That would go against the whole transparency policy of the certificates, wouldn’t it? Did you miss this part of the sentence in the template you were presented with when you opened this topic?

“Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. [https://crt.sh/?q=example.com])…”

Hi @JimPas

that’s a different problem.

If a user visits domain-a.com and sees only a certificate with domain-a.com, www.domain-a.com, blog.domain-a.com, he doesn’t know something about other domains on the same server.

He doesn’t know if domain-b.com exists and (if it exists) if that domain uses the same server / service.

He can test it manual. But that’s only manual, domain per domain, not a complete list like the SAN-List in a certificate.

So: Having own domains on one server it may be not relevant.
Having a lot of customer domains on one server certificates should be created per domain. Not one certificate with 50 or 100 different customer domains.

Certificates are public. But if you don’t know the names, you have to find the certificates.

2 Likes

Then Certbot should show a list and you shouldn’t select something like “All” (don’t know the exact output).

You must have a correct list of vHosts to create different certificates. Then you can select single domains and you can create a certificate per main domain.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.