Question re:SAN certs


#1

I just ran across an LE certificate that has dozens of weird Common Names and dozens of weird Subject Alternate Names and the website in question is listed as one of the SAN domains.

Just wondering if this is normal for a certificate? I thought that certificates were supposed to be “owned” by a single entity since it vouches for that domain being owned by that entity…correct? Or not?

I guess I’m just asking for where to find more information on this to understand why so many disparate domains are listed in these single certificates. At first I thought it’s a hacker registering a ton of domains to perform nefarious deeds, but now I’m not sure. Perhaps the LE system stacks domains into a SAN in order to save database space or something?


#2

Hi @mushu

one Letsencrypt-certificate may have max. 100 SAN domains. It’s possible to use *.example.com + example.com, example.com + www.example.com. But it’s also possible to have one certificates with 50 www-domain-names and the 50 non-www-domain-names.

Some software allows only one certificate per virtual host. And (without SNI) only one certificate per ip-address.

So if someone manages 20 - 40 domains with one virtual host or with one ip-address, then it may be easier to use only one certificate.


#3

For example, take a look at cloudflare’s free universal certificates…

(those 100+ dns entries makes people think the sites are crappy… but they are just trying to save spaces or boost their speed etc…)


#4

Thanks. So please explain the cert for this domain to me: borealbirds.org

Does this mean a single company “owns” every one of those domains? I think not…


#5

Probably not. Going by the pantheonsite.io common name in the certificate, the certificate was probably generated by the hosting company Pantheon for installation on their own servers on behalf of a group of their customers.


#6

Hmmm. Note that there is a “wa.gov” domain in there also, which is most definitely not owned by any company other than the government of the State of Washington. Thus my concern…

…unlesss…you’re actually saying that the gov’t website is hosted with a non-gov’t ISP? That would be bizarre, especially since it relates to “privacy” LOLOL…


#7

There are exact 100 domain names.

That may be created by a hosting company. So 50 - 100 customers share the hosting and the certificate.


#8

https://www.governor.wa.gov/ has also this certificate. So the website is hosted there.


#9

Ownership is one thing. It’s common enough for governments to outsource services.

https://governor.wa.gov/, https://www.governor.wa.gov/ and https://privacy.wa.gov/ are hosted by Pantheon.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.