Role of Account Keys and Web Private Keys for Working With Sub Domains


I understand that I’ll need to issue a certificate for every sub-domain I want secured, and that’s fine, but do I need a new account key for every sub-domain? It would make sense that an account key authenticated for the domain could be enough to make as many sub-domain certs as I wanted. How would I have to do it?


You can combine up to 100 hostnames (subdomains, different domains, doesn’t matter) in one single certificate.

No. As far as I know, the issued certificates are coupled to an account, not separate domains. And you can issue as much certificates you want with a single account. (Within the rate limits ofcourse)


Oh cool. I was off on several things. Thank you.


Each hostname is validated separately. So that’s not really a consideration. (Assuming validation is fully automated, it isn’t any less convenient.)



To clarify this a bit more

You do not need an account key for every sub-domain

There are 2 Keys in Play when you work with LetsEncrypt

An Account Key - used to sign API requests
A Private Key that is associated with the Certificate

Every certificate should have a new Private Key when you renew it (good practise)

However you can use the same account key for performing all functions (e.g. issuing new certificates, renewing certificates etc)

Most clients will actually generate your account key in the background and automatically use it (without you intervening)

There is a specific case I have worked on with several clients which may require separate account keys

The use case is a service provider which lets their customers issue,revoke certificates

They generate (and store) an account key for each customer so customers can’t download or mess around with other customers certificates. This is a rare case though



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.