I (co)admin communities hosted on servers, where each server is using just one IPv4 (and multiple IPv6) addresses. For years, almost a decade now, I've been using one certificate for lists of domain names (and started using wildcard subdomain names when that was possible), especially when their names resolve to one and the same IPv4 address. My thought behind it is: Since these domain names all link to the same IPv4, there's no valid reason to separate their certs per domain name. They run mail, web and some special services all on the same IPv4 and IPv6, and I've created clusters for reliability of those services. So, what I do is just add to or remove domain names from the one certificate (*.domain1.org, domain1.org), as people/users come and go, per server.
I have never measured this, but I just read this in LE documentation:
"You can combine multiple hostnames into a single certificate, up to a limit of 100 Names per Certificate. For performance and reliability reasons, it’s better to use fewer names per certificate whenever you can. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate."
Can someone explain to me how one cert for, say, 50 names, would be detrimental to performance, compared to 1 cert per name? Especially considering the required config change per postfix. dovecot, nginx etc. which all need to load and serve separate files from the exact same hardware, not to mention the extra complexity (and administrative overhead) added for that to work fluently. I'd say, from a caching perspective alone, performance would benefit from having 1 cert, 1 key, 1 chain etc. per server, no? The cert files are already in RAM, they need fewer update pulls/checks, so network traffic too is way down using one cert (also for LE machines), as is their reliability, especially if all domain names' users are in the same region, area of interest, or financial dependency.
So, my question: How would a cert per name be beneficial over one cert for all names (and subdomain names) ?
I've been forced to use both options (the cert separation in dovecot/postfix etc. as well as one cert per multiple names) for years now, but the SAN cert for many names by far out-competes performance as far as my impressions go from how we use them.
The only valid complaint against such option would be that person/user/name owner x does not want to be linked to person/user/owner y, or one of the name owners is a really bad ransomware botnet spammer or something. But that's not happening for our use-case. The opposite, rather. Which makes the domain name owners happier than when their cert would just be for their one name, as there is a certain pride involved in being connected to owner x, y, z as well.