On 1/9/19 3:15 AM, Daniel Margolis wrote:
*snip*
/
I think this is hard. You probably could get a single cert with SANs for
all of your 80 domains, or one for each new domain, but you will have to
figure out how to automate this (and I guess use SNI to pick the right
cert on the server side--note that the RFC does require SMTP clients to
support SNI, so as to enable this).
*snip*
Note that you can use certbot to submit a CSR with multiple alternative
names and if desired re-uses the private key to reduce DANE rollover
issues. That's what I do with Let's Encrypt, only change the private key
once a year so DANE is easier.
I've never tried it with 80 domains in single cert, I do not know if
they have a limit, but I have tried it with four or five and it works.
They do a challenge for each alternative name but that should succeed if
they resolve to same IP address.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
