Wildcard cert with internal-only subdomain

Hi there

I’m new to Let’s Encrypt and I’m planning to switch over.
After I searched this forum and using Google I haven’t found an answer to my question.

I have an official domain “example.com” that is used for web, mail and other stuff.
Along this I use “corp.example.com” as my internal Windows Domain. This subdomain is not publicly available, since it only exists in my internal DNS servers.

Now, I’d like to create a Wildcard SAN certificate for:

Can this be achieved using DNS challenge when my internal subdomain cannot be resolved?

Thanks for your help!

1 Like

As long as your DNS server is accessible from the outside world, yes: if you can answer the DNS challenge, there is no need for your http server to be accessible.

Hi @arupper

that doesn't work. If you create a certificate with *.example.com, then you can't have corp.example.com in the same certificate.

So you need and can use only three names:


1 Like

Thanks for clarification about corp.example.com!

Is ist necessary to have a public adressible DNS zone for “corp.example.com” just to pass DNS challenge?
Or would it be sufficient to have a public DNS zone for “example.com” to validate bothcorp.example.com” and “example.com” (including Wildcards)?

To validate corp.example.com or *.corp.example.com using DNS, you need to create a DNS record called _acme-challenge.corp.example.com. So it has to resolve, but it doesn't have to be the same internally and externally.


To further clarify, you don't need a separate corp.example.com zone to create a _acme-challenge.corp.example.com record. You effectively just create a _acme-challenge.corp record in the root example.com zone in addition to the base _acme-challenge records.


Thank you all for clarification! This is very helpful!

One more question:
Will the txt record for _acme-challenge… be the same for all domains in the same certificate?

(After reading through some client docs it seems the client implementation will only output one result for a txt record, even if I submit multiple domains for a SAN/UCC certificate)

This doesn't work. If you have one certificate with two names *.example.com example.com, you have to create two txt entries with the same name


and with two different values. Letsencrypt checks, if one of these txt entries has the correct value.

No, it will be different for each domain.

1 Like

A post was split to a new topic: Wildcard-capable client recommendation for Windows

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.