loading...

re: Let's Encrypt: Wildcard Certificate With Certbot VIEW POST

FULL DISCUSSION
 

Just curious. What is your use case for needing a wildcard cert?

 

On my home server, I route a variety of different outward facing apps to different sub domains, it’s much easier for friends and family to remember app.domain.tld.

 

Marvelous.
I am going to use it as an example πŸ˜„

 

I have a white label app that uses a subdomain to distinguish different brands - "coke.app.com" "pepsi.app.com" etc. Needs a wildcard cert to secure them all so we can add new subdomains whenever we want and not get ssl errors.

 

Running different servers. Like www. domain and domain as web servers and jabber.domain and domain as jabber servers.
For instance.

 
 

You really shouldn't mix/combine the security of completely different services (thats what a certificate is - service identity) in a single certificate. The proper solution is to up the automation surrounding your service's build process to include the asynchronous process of obtaining a certificate for each service.

If you need multiple hostnames for the same certificate (AND KEYPAIR), you should be using SAN certificates, not wildcards.

If you need multiple endpoints with the same DNS hostname, you make that a common SAN across multiple certs for each individual TLS endpoint.

As a follow-up, IMO, the only valid use case for wild card certs is for self-contained private PKIs usedd internally with external certs for the exposed service endpoints. An example would be a private mini-CA dedicated (and trusted) only for inter-node internal connections within the cluster.

Dear MichaelKing1832
Thank you for your description and follow-up.
I'm so grateful to you πŸ™‚
I'll learn and get experienced much more...

Hey MichaelKing1832,

Do you have a reference source link for your statement: "You really shouldn't mix/combine the security of completely different services (thats what a certificate is - service identity) in a single certificate."

In a blog post of mine I want to link to your comment here but, also link to an official document/RFC.

Thanks a lot - and thanks heddi.nabbisen for this post!

code of conduct - report abuse