How to generate SSL certificates in batches to enable HTTPS for multiple subdomains at the same time

In the modern internet environment, enabling HTTPS for websites has become a standard. Whether it's a personal website or an enterprise platform, SSL certificates are required for data encryption and authentication. This is especially true for websites with multiple subdomains, such as a primary domain containing a blog, API, shop, CDN, and other subdomains. Applying for a separate certificate for each subdomain is not only complex to manage, but also creates costs and maintenance burdens. Therefore, batch-generating SSL certificates and enabling HTTPS for multiple subdomains simultaneously has become a key skill for operations personnel and developers.

To understand how to achieve this, it's important to first understand the types and scope of SSL certificates. Based on the domain matching method, certificates are generally categorized as single-domain certificates, multi-domain certificates (SAN certificates), and wildcard certificates. Single-domain certificates protect only one domain, such as www.example.com; multi-domain certificates can protect multiple domains simultaneously; and wildcard certificates can protect all subdomains under a primary domain. For example, *.example.com can be used for multiple sites, such as blog.example.com, api.example.com, and cdn.example.com. For bulk HTTPS for multiple subdomains, wildcard certificates are undoubtedly the most convenient and efficient solution.

In practice, the most commonly used free SSL certificate provider is Let’s Encrypt. It supports automated issuance, renewal, and batch management, and is compatible with a variety of server environments. Let’s Encrypt uses the ACME protocol for certificate verification, allowing certificate generation and deployment to be automated through scripts. Below, using a Linux server as an example, we'll explain how to bulk generate SSL certificates and enable HTTPS for multiple subdomains simultaneously.

First, you need to install Certbot, the officially recommended automated client for Let’s Encrypt. For Debian or Ubuntu systems, you can install it using the following command:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

If you are using Apache server, you can install the Apache plugin:

sudo apt install certbot python3-certbot-apache -y

Once installed, Certbot can interact with your server, automatically requesting and configuring SSL certificates.

Suppose we have multiple subdomains, such as api.example.com, blog.example.com, and shop.example.com, and we want to enable HTTPS on all of them. The most straightforward way is to use Let’s Encrypt’s multi-domain certificate feature. Execute the following command:

sudo certbot --nginx -d example.com -d api.example.com -d blog.example.com -d shop.example.com

The -d parameter specifies the domains to bind. Certbot automatically communicates with the Let’s Encrypt server to verify ownership of these domains and, upon successful verification, issues a certificate covering multiple domains.

If you have a large number of websites or your domains change frequently, using a wildcard certificate is a more flexible solution. Let’s Encrypt also supports issuing wildcard certificates using DNS validation. To apply, execute the following command:

sudo certbot -d *.example.com -d example.com --manual --preferred-challenges dns certonly

During the execution, Certbot will prompt you to add a DNS record of type TXT, for example:

_acme-challenge.example.com  TXT  "Random verification string"

After adding, wait for the DNS resolution to take effect before continuing. Certbot will verify and generate the certificate file. The certificate file is generally stored in the /etc/letsencrypt/live/example.com/ directory, which contains four main files:

cert.pem        # Certificate File
chain.pem       # Intermediate Certificate
fullchain.pem   # Full certificate chain
privkey.pem     # Private Key

When configuring HTTPS, you typically use the fullchain.pem and privkey.pem files.

After generating the certificate, you need to configure Nginx or Apache on your server to enable HTTPS for multiple subdomains simultaneously. For example, in Nginx, you can add the following to the configuration file:

server {
    listen 443 ssl;
    server_name api.example.com blog.example.com shop.example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    location / {
        proxy_pass http://127.0.0.1:8080;
    }
}

The server_name parameter allows you to list multiple subdomains. Nginx will automatically match the corresponding site based on the accessed domain name. As long as all subdomains are included in the certificate, they can share the same SSL certificate. For wildcard certificates, simply specify server_name *.example.com for batch support.

To automatically redirect users to HTTPS when accessing HTTP, you also need to add a redirect rule to the configuration:

server {
    listen 80;
    server_name api.example.com blog.example.com shop.example.com;
    return 301 https://$host$request_uri;
}

This way, when users visit http://blog.example.com, they'll automatically be redirected to https://blog.example.com, ensuring all communications are encrypted.

Free certificates are valid for 90 days. To avoid the hassle of manually renewing them after expiration, you can schedule automatic renewals. Certbot provides the following command for automatic renewal:

sudo certbot renew --quiet

This command will detect all installed certificates and automatically renew them before they expire. You can use Crontab to schedule execution:

sudo crontab -e

在文件末尾添加一行：

0 3 * * * /usr/bin/certbot renew --quiet

This means the certificate will be automatically checked and renewed at 3:00 AM each day. Upon successful renewal, the Nginx or Apache configuration will be automatically reloaded to ensure uninterrupted HTTPS service operation.

For large websites or multiple servers, you can use the ACME DNS API or a third-party certificate management platform for centralized management. For example, acme.sh is more lightweight and flexible than Certbot and supports automatic verification for more DNS providers:

curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --issue -d example.com -d *.example.com --dns dns_cf

Here, dns_cf indicates that the API automatically adds verification records, thus achieving completely unattended batch issuance. The generated certificates can also be deployed directly to Nginx:

acme.sh --install-cert -d example.com \
--key-file /etc/nginx/ssl/example.com.key \
--fullchain-file /etc/nginx/ssl/example.com.crt \
--reloadcmd "systemctl reload nginx"

This approach is ideal for businesses that frequently add and remove subdomains or have multi-server clusters.

Using a reverse proxy or load balancing system can further simplify HTTPS deployment. By installing a wildcard certificate at the proxy level, all backend subdomains can share an encrypted channel, eliminating the need to configure individual certificates for each server. This not only improves management efficiency but also reduces the complexity of updates and maintenance.

It's important to note that while a wildcard certificate protects most subdomains, it doesn't cover second-level or deeper domains. For example, *.example.com won't cover shop.api.example.com. If your business has multiple subdomains, you'll still need to use a multi-domain certificate or tailor-made configuration.

After generating and configuring the certificate, you can verify the success of your HTTPS deployment using online tools such as SSL Labs or command-line commands:

curl -I https://api.example.com

If the return status code is 200 or 301 and valid TLS connection information is displayed, the certificate configuration is successful.