Single CA Cert vs Multiple Certificates

TL;DR

For public production environments, using multiple individual certificates is generally preferable to a single Certificate Authority (CA) certificate with many Subject Alternative Names (SANs). While a multi-SAN cert can work, it increases the blast radius of compromise and complicates revocation. Individual certs offer better security and easier management.

Why This Matters

Certificates are crucial for secure communication (HTTPS) on the internet. A CA certificate is used to sign other certificates, verifying their authenticity. The choice between a single, large SAN certificate and many smaller individual ones impacts your cybersecurity posture and operational overhead.

The Problem with Large Multi-SAN Certificates

1. Increased Blast Radius: If the private key for a multi-SAN certificate is compromised, all domains listed in the SAN are affected. This can lead to widespread outages and trust issues.
2. Revocation Complexity: Revoking a single domain from a multi-SAN certificate requires reissuing the entire certificate with updated SANs. This impacts all other domains on that cert, even if they weren’t involved in the compromise.
3. Certificate Size Limits: Browsers and servers have limits on the number of SAN entries allowed in a single certificate. You might hit these limits as your infrastructure grows.
4. Caching Issues: Changes to a multi-SAN cert can cause widespread caching issues, requiring longer propagation times for updates.

Why Individual Certificates Are Better

1. Reduced Blast Radius: A compromise of one certificate only affects the domain it secures. Other domains remain safe.
2. Simplified Revocation: You can revoke a compromised certificate without impacting other services. This is much faster and less disruptive.
3. Easier Management: Individual certificates are easier to track, rotate, and manage, especially with automation tools.
4. Flexibility: Different domains can use different validity periods or CA providers if needed.

Step-by-Step Guide: Implementing Individual Certificates

1. Choose a Certificate Authority (CA): Select a reputable CA that meets your security and compliance requirements. Let’s Encrypt is a popular free option for many use cases.
2. Generate a Certificate Signing Request (CSR) for each domain: Use OpenSSL or your web server’s tools to create a CSR.

   openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

3. Submit the CSR to your CA: Follow your CA’s instructions for submitting the CSR and validating domain ownership (usually via DNS records or email verification).
4. Install the Certificate: Once issued, install the certificate on your web server. The process varies depending on your server software (Apache, Nginx, etc.).
5. Automate Renewal: Use tools like Certbot to automate certificate renewal before they expire.

   certbot certonly --webroot -w /var/www/example.com -d example.com -d www.example.com

6. Repeat for each domain: Repeat steps 2-5 for every domain you need to secure.

Considerations

• Cost: Individual certificates may have a higher upfront cost if using a paid CA, but the reduced risk and management overhead often outweigh this.
• Automation is Key: Automating certificate issuance and renewal is essential for managing a large number of individual certificates.
• Wildcard Certificates: For subdomains, consider wildcard certificates (e.g., *.example.com) to reduce the number of certificates needed, but be aware of the increased blast radius compared to individual certs.