Are there any plans to add Subject Alternative Name (SAN) support for certificates generated by the managed SSL offering?
We have some wildcard certs with a fixed number (~10 for now but potentially a few more in the future) of wildcard subdomains (ie *.stuff.example.com, *.things.more.example.com and so on, but all under the same tld just at differing levels) using Let’s Encrypt SAN support. It would be nice if we could do something similar using the Fly managed SSL certificates.
I realise we could create an individual wildcard cert for each of these subdomains but for this use case using SAN has less operational complexity. Another not quite as important but still potential longer term issue if we move towards custom domain support for users is the cost aspect of that many individual wildcard certificates for each user.
We’ve looked at adding SANs to certs but the UX gets extreme. It’s simple to show validation feedback for one hostname, much harder for 2+. And in our infrastructure, managing issued certs is the easy part, doing the cert authorizations is the complex bit.
The use case is interesting though. If wildcard certificates were a lot cheaper on Fly.io would you be worried about SANs?
Yeah I can totally see the UX issues when it comes to validation. We lump all the variations of wildcards together on a single certificate right now because they are all associated with the same service so that makes our UX a little bit easier regarding managing the certs. It wouldn’t be too hard to split them into individual certs for each subdomain, especially if the management/renewal aspect of them is then handled for us.
If wildcards were cheap enough that would most likely remove the need for SANs when it comes to something like the potential for custom user domains when combined with our number of wildcards that would be required per user.