SAN number of certificate


#1

Hello everyone,

I have a question that I am struggling to find an answer to.

I have a server that has 4 alias with the same IP, such as below:

Server
(IP, URL):
xx.xx.xx.xx alias1.sample.com:8080
xx.xx.xx.xx alias2.sample.com:8080
xx.xx.xx.xx alias3.sample.com:8080
xx.xx.xx.xx alias4.sample.com:8080

My question is, do we need to have 4 certificates or 1 certificate would work fine since the IP address is the same?

Thank you!


#2

Hi @erhankah,

The IPs do not matter but the fully qualified domain names do. You have four of those so you can either:

  1. Make one certificate with all names (alias1.sample.com, alias2.sample.com,alias3.sample.com,alias4.sampel.com) (up to 100 names)
  2. Make separate certificates for each site (One cert for alias1.sample.com, one cert for alias2.sample.com, etc)

I recommend you read our rate limits documentation to understand how the two choices differ in terms of your available rate limits.

Option 2 will give you the most flexibility and is my general preference unless there are other constraints to consider.

Hope that helps!


#3

Thank you, that helps!

Just one more question, I have another server that runs the same application, it has different IP address and 4 different aliases.

I believe I can make one certificate that covers all the aliases (8 in total, 4 for the first server and 4 the other one) and install it on the two different servers?

Would that work?


#4

Yup, that would work as well.


#5

Perfect, thank you for your help!

Have a nice day.


#6

Sorry one more question :slight_smile:

I guess when using SAN, the common name is ignored. If this is the case the certificate would have common name as: *sample.com and all the aliases under SAN, right?


#7

If your ACME client doesn’t explicitly choose one of the SAN names to be the Subject CN the Let’s Encrypt server-side software will pick the first SAN and make it the CN. So if your software finalized an ACME order with a CSR that only had the SANs alias1.example.com, alias2.example.com and no Subject CN then the issued certificate would have Subject CN alias1.example.com and SANs alias1.example.com, alias2.example.com.

Hope that helps!


#8

In order to get one server to validated for IPs that do not resolve to itself (the second server), you will have to make “certain” compensations or you could also use DNS authentication (which would not check your site directly but only to your DNS zone).


#9

Why not have each server obtain its own certificate for its own 4 names independently?


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.