• Rebel Alliance Developer Netgate

    Curious, what do you see as your potential use case for them? Unless all consumers of the certificate are on the same box, it just replaces the inconvenience of setting up multiple ACME clients with a different inconvenience: figuring out how to sync the cert to other local systems securely.

    Only use case I can think of where it would save time would be if there were many, or dynamic, subdomains on a single web server. Really just dynamic, since a single LE Cert can have 100 SANs it would take a while to cross the point where wildcards help.

    With a normal CA, past a certain point it's a cost saving measure but you also only have to worry about copying it around once a year…

  • Well for one ppl can see what san names you have on cert, and then access services you don't want to reveal just to everyone. Its public but still, wildcard can help in this area a bit. Also one cert for all easy maintainable etc…
    You just have to cover one and not many subdomains its easier... Also when youre adding subdomain, no more issuing new cert just use existing one and thats it..

  • LAYER 8 Global Moderator

    "Well for one ppl can see what san names you have on cert, and then access services you don't want to reveal just to everyone"

    What?  Could you please describe such a scenario?  So I setup a cert with common name server.domain.tld, I then setup a SAN so I can also hit it by IP – how does that reveal something?

    Are you saying your creating cert with different fqdn so you have say

    san server.domain.tld
    san other.domaint.tld

    And then using this same cert on 2 different servers?  And your saying you want users to know about server but not other?  ???

  • Yeah sth like that. Not to use wildcard for security and depend on that so ppl cant see other domains but still… Every measure counts a little 😁
    For me it would just simplify deployment a lot, I dont care for other things so much...

  • LAYER 8 Global Moderator

    Using the same cert on multiple servers is pretty much borked out of the box.  You should use unique cert for each server or service your running.  And you sure shouldn't be putting multiple sans on a cert that are not for the unique service your using the cert for.

    JimP's scenario would be if your running say serviceA.domain.tld, serviceB.domain.tld, serviceC.domain.tld on the same host - you could simplify with using SAN for for this 1 cert for these different services.  But normally each service should use its own unique cert.  A san should really only allow for a different name or IP, etc.. that used for that specific service.

  • ehmmm…
    I know what SAN is used for.
    But if you have 1 host and 30 domains and even more subdomains SAN is a nightmare to maintain.
    Wildcard will solve my problems completley because there will be one cert for each domain and no more issuing new certs for that domain subdomains (now if you add subdomain you have to issue new cert or add san name to existing one).

  • @jimp:

    Curious, what do you see as your potential use case for them?

    I use WC for HAProxy instances on pfSense for HTTP/S redirection. It is much easier not to mess with certificate re/issue and reconfiguring HAProxy for another certificate.
    But I only have a bunch of sub-domains on one 2nd level domain.

  • LAYER 8 Global Moderator

    "I know what SAN is used for."

    If you think you should be putting different services names and IPs and using these certs on multiple devices.. And are worried about the SAN leaking info that is shouldn't. Then I question your understanding of their use ;)

    Completely agree with you and what jimp was stating is that if you are running a webserver and you have a bunch of subdomain sites on this server that wild card would make it easier..  But this clearly could be accomplish with SANs or better even would be to run them with their own unique certs.

    So you just want wildcards because your lazy ;)  And don't want to correctly use unique certs for your different services/sites/etc  And just 1 cert to do it all and not even have to worry about adding sans to it..

  • I use SANs proper way. Many people don`t.

    I`m lazy, wildcard is great for me and many more.

    Why bother with SANs and adding every single subdomain on it?
    Is it more secure? - NO
    Is it safer? - NO
    Is it more practical? - NO

    The only thing is…. If you have to revoke it, then you have quite a lot of work to do to replace cert everywhere if you don`t have the automation to do it. But since certs are valid for 3 months and in the future maybe less you should have automation deployed already ;)

  • Banned

    it will greatly help those who use a lot of subdomains, or have services where a lot of subdomains point to the same server, and even the same virtual host, but performs different actions based on what subdomain name is used.  It opens up a lot more flexibility in their use.

  • i am support this, i have a lot domains and sub domains, and use for iis10 , no good ways auto renew and bind these cert. lets cert time is so short.  :)