Hi,
While our university has an (indirect) agreement with commercial CA (by means of GÉANT’s Trusted Certificate Service), central administration introduced cumbersome paperwork required to obtain certificate (signature from head of department, delivering signed request to central IT services office on paper - to a building in completely different part of university campus…). Our department staff wanted to introduce automatic certificate managament, which clearly won’t be possible with paperwork in our way. So we want to use Let’s Encrypt…
… but obvious problem would be rate limits. For us, the best solution would be to count certificates for our department subdomains (say, cs.example.com, ki.example.com…) separately from our university domain (example.com). From this thread I know that it’s not possible to apply rate limit increase to domain which is not considered eTLD+1. However, I don’t feel that I fully understand Boulder source code handling rate limits and their overrides - is my impression correct that registration ID based override is simply applying certificate per domain rate limit increase to all domains used by single account?
In other words, if my department would be granted an override for regID, we would be able to “kill” new issuances for whole university (as our certificates would still count against our university domain name count)? And that’s why @schoen said that request needs to be submitted by a responsible party at the university (presumably, to apply rate limit increase for eTLD+1 university domain itself, not regID)? Or is there another way for rate limit increases for universities (for e.g. “artificially” extending public suffixes list on Let’s Encrypt side to consider *.example.com separate eTLD+1)?
Thanks in advance for answers!