Subdomain for another Organisation - Cert questions


#1

Hi i didnt found anything about this in the Faqs.

So my setup is a have a Domain lets call ist myorg.com.

In the DNS Settings for my Domain i created a subdomain CNAME like otherorg.myorg.com which Points to an external Service.
This is for an Webservice hosted by another Company for me.

My question is:

Can this external Company only get Lets Encrypt Certs for otherorg.myorg.com or can they also get Certs for other subdomains in my Domain or even a Wildcard for my Domain?

Cheers


#2

They can only get certificates for otherorg.myorg.com. Let’s Encrypt doesn’t let you validate one subdomain and get certificates for different subdomains or domains.

Let’s Encrypt (currently) requires DNS validation for wildcard certificates. So if you gave them access to _acme-challenge.otherorg.myorg.com, they could get a wildcard certificate for *.otherorg.myorg.com. But not other wildcards like *.myorg.com.