I host about 8 domains and have noticed when viewing my certificate that the common name CN is different from the domain name that is being encrypted. I’m a little bit concerned about the professional image of doing this in the event that somebody actually decides to look at the certificate and notice this, or that a web browser might flag it as a security hazard.
Would I be abusing the LetsEncrypt model if I were to create the certificates for each of these sites instead of wrapping them all into one certificate with multiple distinct aliases?
The common name field isn’t even inspected by most browsers - it’s been deprecated for quite a while. From a certificate standpoint, it could say “Happy Giraffes” and be just as valid.
Let’s Encrypt puts the first name on the list there, but there’s no way to have that change based on where the user navigated without creating individual certificates for each site. As long as you stay within the rate limits, there’s no issue with doing so.
I would posit, however, that anyone technical enough to look at the certificate to determine trust is probably technical enough to at least have a vague understanding of SubjectAlternateName fields. Plus, why would someone treat it like a security hazard if their browser is accepting it?
Either way works, though, as long as you stay within rate limits. It’s also super reasonable if you don’t want two of your domains to be quite so easily associated. (E.g. company site and personal blog, or multiple client sites.)
