Nope. it’s *.project.employee.company.com, one per combination of employee and project name. If only certs could be issued to *.*.company.com.
Real world example:
- Users Stephan and Marcus
- Projects Coke, Amazon
- Multiple host names per project
Results in:
- emea.coke.stephan.company.com
- usa.coke.stephan.company.com
- cdn1.coke.stephan.company.com
- cdn2.coke.stephan.company.com
- emea.coke.marcus.company.com
- usa.coke.marcus.company.com
- cdn1.coke.marcus.company.com
- cdn2.coke.marcus.company.com
- emea.amazon.stephan.company.com
- usa.amazon.stephan.company.com
- cdn1.amazon.stephan.company.com
- cdn2.amazon.stephan.company.com
- emea.amazon.marcus.company.com
- usa.amazon.marcus.company.com
- cdn1.amazon.marcus.company.com
- cdn2.amazon.marcus.company.com
And now there’s not 2 developers but 10, there’s not 2 projects but 50, and there’s not only USA and EMEA but up to 30 divisions per project.
That’s up to 15’000 domain names in the range of *.*.comany.com, distributed over 500 virtual machines on 10 laptops.
Of course they don’t all run at the same time but one after another. And this is the very reason I can’t simply put LE on all of them: I’d run into rate limits after three or four days.
Regards,
Stephan.