SAN, Wildcard Combined

New guy here, so direct me if appropriate to existing post, but I could not find one myself so far.
I have a registered domain, (I really have one, but I used the general example).
Advice was to use a subdomain for all internal purposes, so that is I run internal dns servers for this subdomain.
All internal hosts, servers are of the form
So, for the cert request, should I request a wildcard *, and request a SAN listing each
Or, should I simply request a SAN certificate with all the hostxyz subdomains listed?
Just as a reference I read on digicert site that they offer a wildcard cert, and then one does a SAN on that by requesting a duplicate, and listing all the subdomains. Is there a similar procedure on letsencrypt?

1 Like

You can request whatever combination of SANs you like with Let’s Encrypt1.

Perhaps one like this would suit you:

  • *
  • *

[1]. As long as the SANs are not redundant. e.g. You can’t have both * and, because the latter is made redundant by the former.


Excellent. Thank-you. That’s a lot easier than I was anticipating.
I will try it out soon.

1 Like

Actually I recall why I thought this would be more difficult. I was under the impression that a wildcard could only be one level below the registered domain name. Since my registered domain name is, I figured I could only request * as a wildcard. There can be no dots in the * wildcard part.
* would not be allowed because is not registered.
Hoping I am wrong. If I am wrong and it is easy, then is that because letsencrypt does some magic with the requests to make it easier for users?

1 Like

The only requirement with Let’s Encrypt is that the wildcard label is the left-most label.

It doesn’t have to be next to the registered domain.

1 Like

Thanks again! Time to try it out.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.