2

1) Is it a good security practice to have a separate TLS certificate for each sub-domain?

2) Is wildcard certificate (i.e. one certificate for many/every sub-domains) a bad practice?

user9371654
  • 469
  • 1
  • 6
  • 15

1 Answers1

2

It is more relevant how much the private key for a certificate is at risk than if the certificate contains multiple domains (either as subdomains or as wildcards) or only a single domain.

For example, if you have multiple machines with each machine having their own subdomain, then the risk is lower if you have separate certificates with their own private key on these machines instead of using the same certificate and private key on all these machines. If instead you only have a single machine serving all these domains then it does not really matter.

Using wildcard certificates by itself is a larger risk since more subdomains are affected if the private key is compromised. But apart from that it is similar to single vs. multiple subdomains per certificate, i.e. it mainly matters how well the private keys are protected.

If instead your private keys are kind of easy to get stolen in the first place then having only a single domain per certificate can considerably limit the impact of a stolen private key. But if such easy compromise is possible then you should probably start improving the security of your private key first.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424