Multiple UCC/SAN (multiple subdomain) certs, single common name?

So if you (plan to) have more than 1,980 CNAMEd domains along with 20 of your own, you can:

a.) use no common name as discussed previously

b.) use 1 certificate per primary customer domain

c.) request a rate limit increase

I would prefer b because it’s way easier to automate, sends less bytes over the wire to clients, and requires no special privileges.

But look at any WordPress.com blog and you’ll see did c and they’re yuge. I remember hearing the biggest bottleneck for the Let’s Encrypt team is the Hardware Security Module that stores the intermediate certificate authority’s private key. It can only sign so many certificates so fast. So if you really have a lot of certificates, I think they would want you to just request an exemption.

Though “officially” I guess they are ambivalent:

Our issuance policy allows for up to 100 names per certificate. Whether you use a separate certificate for every hostname, or group together many hostnames on a small number of certificates, is up to you.

Using separate certificates per hostname means fewer moving parts are required to logically add and remove domains as they are provisioned and retired. Separate certificates also minimize certificate size, which can speed up HTTPS handshakes on low-bandwidth networks.

On the other hand, using large certificates with many hostnames allows you to manage fewer certificates overall. If you need to support older clients like Windows XP that do not support TLS Server Name Indication (SNI), you’ll need a unique IP address for every certificate, so putting more names on each certificate reduces the number of IP addresses you’ll need.

For most deployments both choices offer the same security.

1 Like

Hi @jaddison,

Other people’s answers are correct at a technical level, and I just wanted to point out that you’re also correct that the renewal rate limit logic is not really optimized for the case where you’re getting certificates for other people’s names that you don’t control the ownership/availability/deployment of, because it does tend to assume that you won’t be involuntarily and unexpectedly be deprived of particular names that you had issued for previously.

I also agree that you have the different options described by @Patches in response to this, and conceivably any of them might work.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.