Subject Alternative Names
acme-client(1) is unable to provide wildcard certificates. Instead, you can specify the common name and any alternative names in its configuration file. By using subject alternative names, it is possible for a single certificate to server multiple different hostnames.
Subject alternative names (SAN) are an extension to the X.509 specification used in SSL certificates. A single certificate can then use multiple names. This is important because TLS validation will fail if the name of the host doesn't match the name on the certificate.
Using alternative names, you can provide more names for the server beyond the
common name. As an example, example.com
could be the common name, and
www.example.com
and wiki.example.com
could be alternative names on the
same certificate.
Warning: While a handful of alternative names are fine, using too many alternative names can cause acme-client(1) to fail. We recommend keeping the number of alternative names to 5 or fewer.
It's recommended that all names for a single service be grouped together in a
single certificate. For example, if the common name is mail.example.com
,
the alternative names webmail.example.com
and email.example.com
would
make sense. However, www.example.com
, since it's used by a different
service (web instead of mail) might be better suited for a different
certificate, since acme-client(1) can
have issues with too many alternative names on a single certificate.