SAN certs with multiple domains - not sub-domains


#1

I’m needing to generate certs for 3rd parties, ie cdn.mycustomer1.com, cdn.mycustomer2.org. I would like to use SAN certs to keep the number of certs I need to load into my server software minimal.

If I have 100 new customers every week, I can easily generate individual certs for them as I understand it. But how would I do it so they were part of a SAN cert? I’d run into rate limits if I tried it, no?


#2

You’re in a bit of a pickle, yes.

You can certainly issue a certificate containing hostnames from 100 different domains.

But doing so increments the “20 certificates per domain per week” limit for each of those 100 domains, so you couldn’t issue up to 100 certificates for the same (growing) set of names a week.

I might suggest a compromise. Something like:

  • When a new customer signs up, issue a certificate with just their name.
  • Once a day, issue a certificate with all of that day’s customers combined, and discard their individual certificates.
  • Once a week, issue a certificate with all of that week’s customers combined, discarding the 7 daily certificates.

That would still limit the number of certificates you manage, while only dinging each domain 3 times in a week.

Alternately, go all out, and use a software stack that’s fine with having tons of certificates under management.

Alternately alternately, use a different CA with high prices and high rate limits. :frowning2:


#3

Actually, I was wondering whether that exact solution was feasible. Now that I know it is, I can think about implementation.

Thank you very much!


#4

OK, follow on questions…

Do I need to worry about revoking the single certs once they’re in a roll up cert? Or can I just delete the singles?

Thanks again.


#5

You don’t need to revoke them no ( there wouldn’t be any benefit in doing so )


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.