On Sat, 24 Sep 2016, Kevin Kofler wrote:
Nicolas Chauvet wrote:
> letsencrypt doesn't provide wildcard, and that will be a different
> server (so a different cert).
It doesn't allow wildcards, but it allows you to give up to 100 SANs
(subject alternative names) for a certificate (the canonical one and 99
more). So you can use the same cert for all *.rpmfusion.org subdomains
(unless there are more than 100), but of course you don't have to.
They verify all the SANs for free certs by reading a cookie from the
website, and that would be impossible for a wildcard. So the SAN list
is really the only way it could be done for that level of verification.
Also, letsencrypt only signs ICANN domains - mainly because they use
the ICANN root to verify the domains. (I.e. they won't help with .bit
domains among others.)
--
Stuart D. Gathman <stuart(a)gathman.org>
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.