SAN, Wildcard Combined

New guy here, so direct me if appropriate to existing post, but I could not find one myself so far.
I have a registered domain, example.com. (I really have one, but I used the general example).
Advice was to use a subdomain for all internal purposes, so that is bud.example.com. I run internal dns servers for this subdomain.
All internal hosts, servers are of the form hostxyz.bud.example.com.
So, for the cert request, should I request a wildcard *.example.com, and request a SAN listing each hostxyz.bud.example.com?
Or, should I simply request a SAN certificate with all the hostxyz subdomains listed?
Just as a reference I read on digicert site that they offer a wildcard cert, and then one does a SAN on that by requesting a duplicate, and listing all the subdomains. Is there a similar procedure on letsencrypt?

1 Like

You can request whatever combination of SANs you like with Let’s Encrypt1.

Perhaps one like this would suit you:

  • example.com
  • *.example.com
  • *.bud.example.com

[1]. As long as the SANs are not redundant. e.g. You can’t have both *.example.com and bud.example.com, because the latter is made redundant by the former.

3 Likes

Excellent. Thank-you. That’s a lot easier than I was anticipating.
I will try it out soon.

1 Like

Actually I recall why I thought this would be more difficult. I was under the impression that a wildcard could only be one level below the registered domain name. Since my registered domain name is example.com, I figured I could only request *.example.com as a wildcard. There can be no dots in the * wildcard part.
*.bud.example.com would not be allowed because bud.example.com is not registered.
Hoping I am wrong. If I am wrong and it is easy, then is that because letsencrypt does some magic with the requests to make it easier for users?

1 Like

The only requirement with Let's Encrypt is that the wildcard label is the left-most label.

It doesn't have to be next to the registered domain.

1 Like

Thanks again! Time to try it out.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.