Skip to content

Adding alternate domains to the SSL cert #529

Answered by msimerson
greenshrike asked this question in Q&A
Discussion options

You must be logged in to vote

I won't be adding this to MT6. I've have used dozens of certs with numerous alternate names in the past and I don't recommend it unless all the alt names are within the same domain name. Why? If one alternate name in your cert-of-many-alternates stops resolving, perhaps because its a client domain and they didn't renew it, now that entire cert will fail to renew. If your monitoring is set up to notice, you'll catch it before it impacts customers, but that's still a far-less-than-great failure mode. Instead, just create a cert for every domain name. Haproxy, dovecot, and Haraka all have SNI support so that they'll return the TLS certificate that matches the hostname the client asked for.

Replies: 2 comments

Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Answer selected by msimerson
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
3 participants
Converted from issue

This discussion was converted from issue #528 on December 24, 2022 19:11.