Wildcard Certificates Coming January 2018


correct. As noted above see https://tools.ietf.org/html/rfc6125#section-6.4.3


A san cert for the following works (I used to have one like the following)


So, it can do multiple domains and do multiple wildcards in the cert but it cannot do one like the following.


I can provide the cert if you’d like proof

edit: blockquotes


Yep, this will work the same was as domainA.com and domainB.com in the same certificate works today.


Eventually, yes. We still need to do the implementation work. For now, if you want to try out the v2 API, you can try our testbed server, Pebble.


yes, please at first for 180 days. hopefuully !!


I’m in no way related to Let’s Encrypt, but I believe the 90-day expiration was a very deliberate decision, and I wouldn’t expect it to change. I feel your pain, I’m stuck maintaining a cert on GoDaddy shared hosting for a nonprofit I support. This means I have to paste the cert into cPanel every few months because GoDaddy shared hosting doesn’t support automated renewals. It’s somewhat unpleasant, but even so, I appreciate the 90-day validity period. Maintaining that quarterly is a really small price to pay.


There is a very long thread about the certificate lifetime issue, starting back in 2015.

Please take any discussions about that aspect over to that thread.


Oh hot damn! That’s great news, great great great news in Let’s Encrypt secure socket layer developments!


Glad you’re excited about them! By next year, maybe we can think of them as transport layer security developments. :slight_smile:


Nothing but the best for a faster, more secure world wide web!


this actually adds more work

if you choose a random subdomain you still have to create a DNS record for it so it can point to a web server to pass the HTTP challenge

so if you are going to update the DNS wouldn’t it be easier to do it once?



this was discussed earlier on in the chain


Will ECDSA certificates be supported in wildcard at launch too?
Also, is there any word about launching a full EC CA?


You can get EC Certificates from Let’s Encrypt currently

Are you talking about an EC Intermediate?



First question is whether EC certificate support will continue with wildcard support.

Second question is in fact when EC intermediate/root will be rolled out.


ECDSA support is unrelated to wildcard issuance. There is no reason why wildcards would be limited to RSA.

Dedicated ECDSA roots and intermediates are scheduled for “Before September 1, 2017”, according to the Upcoming Features page.


Of course, DNS CAA issuewild will be respected, right?


You create a wildcard DNS entry once, then use that to do whatever HTTP validation.

In a lot of contexts (e.g., shared web hosting) it’s much easier to manipulate a web server than DNS.


I see no reason why it shouldn’t as CAA operates at the domain name level, at the same level as all your other DNS records.


Reading through the thread, will SAN be supported?


Although it’s often mistakenly thought of as an alias actually SANs (Subject Alternative Names) are a mandatory feature of all modern certificates in the Web PKI. So yes, as far as Let’s Encrypt is concerned a wildcard is just another SAN dnsName it will add to your cert if you prove control over the name and you will be able to have up to 100 of them in a cert or mix and match with ordinary fully qualified domain names.