Wildcard TLS Certificates (+ DNS using DNSec)
Problem to solve
Currently we create a TLS certificate for each of our services. As it our platform grows, the more certificates will be in use. There are certain limits imposed by Let's Encrypt on how many certificates can be re-issued and therefore it might be beneficial to keep the amount of certificates as low as possible. To do so, we could use a wildcard certificate. Problem is, we currently cannot create such a certificate, because it requires a DNS nameserver with an API, which we don't have.
Intended users
- Everyone browsing our services
Proposal
An option might be to use an external nameserver while still keeping our Domain registrar. For example we could use the service deSEC, which offers an API, DNSec and hosting in Germany. With this, it should be possible to create wildcard certificates over Let's Encrypt.
Further details
A use cases might be:
- Use a single wildcard certificate (*.opensourceecology.de) for the gros of our public services and maybe another on for administrational services.
- With DNSec we might also be able to use encrypted-sni with TLS v1.3
Additional Resources:
- https://administrator.de/forum/funktioniert-subdomains-fritzbox-537565.html#comment-1420979
- https://blog.cloudflare.com/encrypted-sni/