I have a question and hope someone can help to answer.
We produce network products in which currently we use a paid wildcard certificate. Each product comes with its own DDNS address (subdomain), which means that all products use the same main domain (lets call it product.com).
Reading the policies it says that the limitation for the main domain is 50 issues per week. Lets say 200 customers buy a product in one week and want to get a certificate for their subdomain, it would fail after 50 issues?
Would it be possible to use a wildcard certificate (as we already do now with a paid certificate) and put that into the product? The problem would be that all devices use the same certificate which in case of any leak/breach would not be as good as if every device has is own certificate.
I would be happy to hear any feedback about how to approach this.
You should not put one wildcard cert in every product.
If this is a dedicated domain such that .product.com are all controlled by different people, you can put product.com on the Public Suffix List. Then each subdomain has its own rate limit.
To add to @mcpherrinm excellent advise: note that the public suffix list is mainly for security reasons and NOT specifically for bypassing rate limits. You CANNOT use Let's Encrypt rate limits as an argument for your domain to be added to the PSL. If you try that, it will be rejected.
That said, in your situation with multiple different customers using a single domain, then that's all the reason you need as far as I know. The LE rate limit stuff is just a happy little convenience on the side
No, because the certificates are deployed to devices, the problem is that every customer would have the key used by other customers - which is both a security breach itself and an explicit violation of the Subscriber Agreement (and, I believe, the CA/B baseline requirements).
You should apply for inclusion on the PSL list ASAP. Browsers utilize the PSL list to enforce security policies across domains. Joining the PSL list will sandbox your customers cookies from one another and your parent organization.
