Multiple domains under ONE certificate... several IP addresses?


A newbie here when it comes to SLL certificates.

Can you please educate me in one issue?

I would like to use ONE certificate to validate multiple domains…

  • do I need a separate IP address for each domain? they’re hosted in a provider’s semi-dedicated service and my thought was purchasing one address only to serve three domains and two subdomains.

  • do all the domains have to be hosted in the same server?

Thanks for your patience, I am trying to understand the basics of this.

Hi @EnricM,

No, you can use a single IP address for as many domains as you want.

With some Let's Encrypt clients, it can be inconvenient to issue a single certificate for multiple names that aren't all pointed on the same machine where you run the Let's Encrypt client software. There are various ways to do this¹, but the simplest case for certificate issuance is certainly found when all the names point at the machine where you run the client. This is because the most common and simplest way to prove your control over a domain name is to create a file on a web site as requested by the CA. This is easiest to do if that web site is hosted on the same server where the Let's Encrypt client is running, because then the Let's Encrypt client can simply create the file at an appropriate location on the same machine and the validation can succeed as a result.

After the certificate has been issued, there are no restrictions on how many separate machines you can use it on simultaneously. However, we recommend using an approach that allows for automated renewal of the certificate; Let's Encrypt certificates currently only last for 90 days. When you renew the certificate, you'll need to re-perform the validation of your control over the names covered by the certificate, which poses exactly the same challenges as the initial certificate issuance did.

¹ For example, you can delegate the ability to obtain Let's Encrypt certificates for one machine to another machine by using an HTTP 301 redirect for the /.well-known/acme-challenge path. Also, if you have a DNS provider API where you can make changes to your DNS zone automatically from software, you can instead use the DNS method to issue certificates and then it doesn't matter where you run the Let's Encrypt client, as long as the machine where it's running has appropriate DNS API credentials. There's also a concept of a "remote webroot" in GetSSL and probably some other Let's Encrypt clients, where you can tell the client how to upload validation files to other servers and then it can do this when necessary to complete the validation step on those other machines.

1 Like

Quick reponse, concise and crystal clear.
Thanks a million.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.