I just ran across an LE certificate that has dozens of weird Common Names and dozens of weird Subject Alternate Names and the website in question is listed as one of the SAN domains.
Just wondering if this is normal for a certificate? I thought that certificates were supposed to be “owned” by a single entity since it vouches for that domain being owned by that entity…correct? Or not?
I guess I’m just asking for where to find more information on this to understand why so many disparate domains are listed in these single certificates. At first I thought it’s a hacker registering a ton of domains to perform nefarious deeds, but now I’m not sure. Perhaps the LE system stacks domains into a SAN in order to save database space or something?
one Letsencrypt-certificate may have max. 100 SAN domains. It's possible to use *.example.com + example.com, example.com + www.example.com. But it's also possible to have one certificates with 50 www-domain-names and the 50 non-www-domain-names.
Some software allows only one certificate per virtual host. And (without SNI) only one certificate per ip-address.
So if someone manages 20 - 40 domains with one virtual host or with one ip-address, then it may be easier to use only one certificate.
Probably not. Going by the pantheonsite.io common name in the certificate, the certificate was probably generated by the hosting company Pantheon for installation on their own servers on behalf of a group of their customers.
Hmmm. Note that there is a “wa.gov” domain in there also, which is most definitely not owned by any company other than the government of the State of Washington. Thus my concern…
…unlesss…you’re actually saying that the gov’t website is hosted with a non-gov’t ISP? That would be bizarre, especially since it relates to “privacy” LOLOL…