SAN rate limit increase


#1

Hi, Is it possible to increase the limit of the number of SAN domains in a single san certificate?

Currently, we produce 4 san certificates with ~100 domains in each certificate. We have ~400 consumer sites which need certificates.

The problem being we have noticed that the non www also needs to be put in the san certificate to make it valid if the user inputs https://example.com instead of https://www.example.com. Which would essentially double the number of entries.

We are limited to the number of IP addresses we can have, so only have 4 available for these sites. Hence putting them all in a san.

Cheers

Daniel


#2

Can you not use SNI to use multiple certificates on one IP address?

Even if Let’s Encrypt supported hundreds of SANs in a certificate, performance is harmed as clients have to download kilobytes of certificate to connect to the websites, and I believe you’ll eventually run into TLS protocol and implementation limitations about how large certificates can be.


#3

I essentially only need the limit increase to 200. I don’t believe you can use SNI with san certificates.

Because we have 400 domains, I can’t use individual certificates as the rate limit only allows 50 per week.


#4

You can. All certificates from publicly trusted CAs use SAN at this point.

Edit:

If they’re separate domains, that’s not an issue. Most of the rate limits are per-domain.


#5

Hi @frapps

then create 400 certificates with non-www and www, use these with the 400 VirtualHosts.

This isn’t a problem.


#6

Hi @frapps,

It is not possible to change the 100 SAN rate limit. I would encourage you to move towards putting less names on the same certificate and using SNI as @mnordhoff and @JuergenAuer both suggested (thanks!).


#7

Or add more IPs into the mix.
[and scale it that way]