2

I have a domain name with dynamic DNS (DDNS) for my home server on which I expose multiple services (web server, wikis, issue trackers, etc.) online. Some services are hosted by the same software (e.g. web server for website and wiki run on different ports served by the same apache2 instance, others by separate software (e.g. issue tracker)). I only own the domain name without subdomains and distinguish the service by non-standard ports (e.g. 1234 to 1243). So far I used self-signed certificates in order to learn administration and get a minimum of security. That all works fine.

Now, I got a SSL certificate from letsencrypt.org and want to use it for as many service as possible.

Is it better practice to use as few certificates as possible/keep the chain as short as possible or is it considered better to have a separate certificate for each service/port? The former follows the KISS paradigma, but an issue with the certificate would affect all services (I don't know any, but there might be some), the latter would increase the maintainance at creation, setup and renewal.

There might be issues which arise after general availabilty of IPv6 which I'm not very firm with.

Kalle Richter
  • 184
  • 1
  • 7

2 Answers2

4

"Complexity is the enemy of security"

I would always look to use the least amount of certs possible for a number of reasons, mostly due to the ease of administration. It's my understanding that letsencrypt is not currently allowing wild card certificates (these certificates essentially allow you to secure all subdomains of a domain where the traditional certificates only allow a specific URL (ie secure.domain.com).

Now with that said wild card certs come at a premium and they can be quite expensive, especially if you're using them simply for personal use. In that case you may find that you'll need to key multiple certificates and expose them via non-standard ports as you've described, however in a professional setting I'd go with wild card certs simply because of the ease of administration. The easier the administration the less likely you are to miss something / screw up a configuration which reduces your attack vector imo.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • Letsencrypt doesn't allow wildcard but does allow up to 100 names in SAN. – dave_thompson_085 Jul 21 '16 at 00:30
  • As of March 2018, Lets Encrypt does allow wildcard certificates - https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579/ – culix Jun 21 '22 at 16:06
2

It depends on a multiple factors, certificate management strategy, policies and so on.

For general purpose web applications I would go with a single certificate per machine if they use different names. You can run separate certificates on per-service basis, but this will increase administrative efforts in certificate management. If you go with single certificate for all applications, you increase chances to break them in the case of certificate failure (sort of single point of failure). I think, fewer certs you mange -- less problems you get.

Crypt32
  • 5,750
  • 12
  • 24