Using Let's Encrypt for Large Number of Sub-Domains

Hello ,
we are planning for SSL for 100+ domains .
Can you help me in this ? We would like to use lets encrypt to secure the 100+ domains with a single certificate . I have the SSH access to my webservers and we are using all the 100+ domains currently . Is it possible ? If so how can you les us know the steps to do so.
(optional) We would like to use it with the AWS Certificate Manager to maintain the certificates .
please let me know asap .

hi @mohammedattaullahkha

Review other articles on this forum on how to deal with large number of certificates.

Doing due dilligence is something you should do before trying to use a technoogy.

If you have specific questions once you have a plan people may be able to assist but asking an open ended question like please do my thinking for me doesn’t really work.

Next suggested steps:

Review how Let’s Encrypt works
Make a plan of HOW YOU think you can go about getting what you need (with the server etc you have)
Ask any questions that you are stuck on
Try a small subset of what you are trying to do against the staging server


Hello Andrei ,

Thanks for the feedback . I am new to Multi-Domain stuff . I have gone
through the Documents and also implemented it .
But can you tell me

  1. If I can request for a single Certificate and use it for 100 +Domains ?
  2. If yes , then for each new domain should i do the setup or just add the
    domain to some config file .
  3. Do you have a auto renew setup ,as i am using AWS Certificate Manager to
    import the certificate .
  4. with every new revoke will the key will change ?

Thank you for you time and patients.
Hope to hear from you asap

LE has a limit of 100 SAN’s in a single certificate. If you need to secure more than 100 domain names, you’ll need more than one certificate.

  1. It is possible, but as is noted in several other topics, you are limited to 100 names on a single certificate. If you need more names, you’ll need to request and manage multiple certificates.
  2. Due to rate limiting, you’ll want to request a certificate with all the names at one time. Configuration details are up to the tool you use. For instance, on certbot you will specify multiple -d switches, one per each domain.
  3. Some clients can handle renewal. Certbot, for example, can automatically renew an existing certificate when it’s about 3 weeks from expiring. I personally am not aware of anyone using AWS certificate manager, so you may need to develop your own solution.
  4. If you actively revoke a certificate, you should change the private key. A revocation is basically certifying that the key under the certificate has been compromised. If you mean renewal, it doesn’t need to change, but it’s a good idea to update the key for stronger security.

The only reason to revoke a certificate is because you believe the key has been compromised. So yes, in the case of revocation, you'd certainly create a new key. Otherwise, it's up to your client. certbot will, by default, create a new private key every time you renew the certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.