Multiple Wild Card Certificates for One Domain


#1

Hi All

Hopefully this had been answered before - i had a quick look but couldn’t find anything.

We have multiple customers (accounts).

One of the services we offer is automatic generation of gateway names using DNS.

For example if you deploy a mqtt gateway we automatically assign mqtt-gatewayxxxx.our-domain.com

We are now looking at how to automatically secure these as well

In an ideal world we would be able to have a *.our-domain.com certificate per customer (so a private key is the same for one customer but not across all customers)

It this an ideal design? Are there other ways we could do this?

A second design is that we manage just one certificate and share it with all customers but don’t let them know what the private key (i.e. inject when the gateway is spun up).

Andrei


#2

Both designs allow customers to impersonate each other.

Perhaps your service can generate a private key and certificate for the device, during the registration of the device to your service.

This way, no private keys are shared between devices and certificate names are appropriately constrained (e.g. to mqtt-gatewayxxx.our-domain.com).

I am sure that Let’s Encrypt would give you an appropriate rate limit exemption for such an IoT scenario, so that your service can generate and distribute new certificates on-demand (at device registration time and then subsequent renewals).


#3

Does the client actually need a wildcard? I.e., does one client get multiple hostnames? Or only one mqtt-gatewayxxx.example.com?

Because if the client doesn’t need multiple hostnames, you might just offer a single SAN cert. Don’t bother getting a wildcard.

If your client actually gets multiple hostnames, you might want to consider giving every client his/hers own subdomain: mqtt-gateway.xxxx.example.com, so you can get a certificate for *.xxxx.example.com.


#4

In addition to the good suggestions above, you may want to submit your domain to the Public Suffix List. Let’s Encrypt uses it to control rate limits, and it offers many other advantages too.


#5

thanks all for the suggestions and feedback :smiley: