Question 1; Can I create a certificate that is good for a bunch of sub domains that reside on different sites/webservers? I don’t think that matters as it’s just a subject alternative name to Let’s Encrypt?
Question 2; Can I do the Let’s Encrypt challenge on ONE server, declare a list of SAN, repackage and distribute the keys to the other sites/webservers?
Question 3; Does this process I’ve outlined below have any merit, or is there an easier way you can see?
Proposed Solution: I would have one Ubuntu server using Nginx and Certbot (which seems like a nicely supported option) that handles the Let’s Encrypt challenge and declares all the subject alternative names at that time. I would then like to obtain the keys, repackage them and distribute them as a keystore to my customer sites. The customer site are using an enterprise application that I can’t change much which is Apache/Tomcat on windows.
Background: I have a lot of independent servers on customers sites and I want to get them a proper DNS name and security certificate so I can stop teaching people to put their password into unencrypted websites they can’t identify. I’m thinking of using Google DNS which allows up to 100 A records for one DNS name. If I did that the name space would look something like site1.example.com site2.example.com etc. Each of those sites would then be a Cname or A record pointing ultimately to the customer server.
My domain is: as yet unknown
My web server is (include version): apache/tomcat on Windows AND Nginx on Ubuntu
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no