Let's Encrypt Wildcard Certificates on Azion Platform

SSL/TLS certificate management is fundamental to ensuring secure connections between clients and servers. In the context of distributed, high-availability environments like those offered by Azion, managing multiple certificates can become complex and costly. Wildcard certificates issued by Let’s Encrypt allow you to protect a domain and all its subdomains with a single certificate, significantly simplifying this management.

This documentation demonstrates how using Let’s Encrypt wildcard digital certificates can simplify certificate management for Azion customers, providing automation, security, and scalability.

What are Wildcard Certificates?

A wildcard certificate is a type of SSL certificate that covers not only the main domain but also all its subdomains. For example, a certificate issued for *.example.com will protect:

www.example.com
blog.example.com
store.example.com
And any other subdomains

By using a wildcard certificate, there’s no need to issue and renew individual certificates for each subdomain, which simplifies administration and reduces the risk of inconsistent configurations.

Advantages of Let’s Encrypt Wildcard Certificates

Certificate Management Simplification

Reduced Number of Certificates: A single certificate can cover all subdomains, eliminating the need to manage multiple certificates.
Automated Renewal: Issuance and renewal are performed automatically by the Azion platform, ensuring security isn’t compromised by unmanaged expirations.
Reduced Rate Limit Risks: By potentially generating fewer different certificates for subdomains, the mechanism helps reduce the probability of hitting Let’s Encrypt service issuance limits.

Time and Resource Savings

Fewer Manual Configurations: Certificate consolidation makes configuration and maintenance simpler, freeing up IT team time to focus on other demands.
Cost Reduction: Obtaining and maintaining free Let’s Encrypt certificates eliminates costs associated with paid certificates and the administrative complexity of multiple renewals.

Scalability and Flexibility

Ease for Dynamic Environments: In scenarios where new subdomains are created frequently (for example, microservices or development/test environments), wildcard certificates offer the necessary flexibility to keep up with this evolution without requiring constant adjustments.
Integration with Azion Platform: Centralized certificate management, integrated with the Azion platform, enables rapid and secure deployment, plus renewal automation.

Automated Issuance on Azion Platform

On Azion, Let’s Encrypt certificate issuance is fully automated, using the DNS-01 challenge for domain validation. By choosing this solution, customers have native integration that eliminates the need for manual intervention in creating DNS TXT records.

Automated Issuance Process

1. DNS Zone Configuration

For automatic issuance to work, the customer’s DNS zone must be configured and active in Azion Edge DNS. This configuration allows the platform to have full control over the DNS records needed for validation.

2. Validation via DNS-01 Challenge

During the issuance process, the Azion platform automatically generates the TXT record required for the DNS-01 challenge. This entry is inserted into the DNS zone automatically, without requiring additional actions from the customer.

3. Certificate Issuance

With validation completed automatically, the wildcard certificate is issued and made available for use on all subdomains of the main domain. This centralized approach results in fewer certificate issuances, helping to reduce the risk of hitting Let’s Encrypt service issuance limits.

Let’s Encrypt certificates cross-signed by IdenTrust expired on September 30th, 2024. Devices and applications using the Let’s Encrypt certificate that uses IdenTrust will become invalid. This could impact the functionality of devices and applications utilizing these certificates, mainly users of older Android devices (pre-7.1). It’ll be necessary to take the following actions:

For users of Let’s Encrypt Certificates with IdenTrust: you must migrate to the new Let’s Encrypt signing technology or an Azion edge certificate.
For users of other types of Let’s Encrypt: no immediate action is necessary, considering other certificates remain unaffected with this update, since the problem is caused by outdated certificate chains on the device.
For user with applications using Let’s Encrypt in Azion: no action needed. Certificates are automatically updated, although an affected device must have its CAs updated as well.

Integration and Centralized Management

The Azion platform natively integrates certificate issuance and renewal, centralizing the entire process and providing more efficient management.

Complete Automation

Once the DNS zone is properly configured in Azion Edge DNS, management of the TXT records needed for the challenge is done automatically. This eliminates the need for manual manipulation and reduces configuration error risks.

Monitoring and Renewal

Azion performs continuous monitoring of issued certificates. When renewal approaches, the platform initiates the validation process again and automatically updates the certificate, ensuring connection security remains uninterrupted.

Reduced Issuances

By centralizing wildcard certificate issuance and management, the platform minimizes the number of different certificates generated, which in turn reduces the probability of hitting Let’s Encrypt issuance limits.

Deployment Ease

Integration with Azion’s management environment enables certificates to be easily associated with customer domains and subdomains, maintaining consistency and compliance with security policies.

Consult the guide on obtaining and registering a digital certificate

Security Risks and Precautions

While wildcard certificates offer significant convenience by protecting unlimited subdomains with a single certificate, it’s essential to understand the associated security risks and implement proper precautions.

Main Security Risks

1. Private Key Compromise (“Master Key”)

Risk: Wildcard certificates use the same private key for all subdomains, creating a single point of failure.

Lateral Movement: If an attacker compromises a lower-security server (like dev.example.com), they’ll have access to the private key that also protects critical systems (payments.example.com, login.example.com).
Impersonation: With a compromised private key, attackers can create malicious subdomains that browsers will consider trustworthy, facilitating phishing and man-in-the-middle attacks.

2. Violation of Least Privilege Principle

Risk: Distributing the same private key across multiple servers increases the attack surface.

Wide Distribution: The more servers using the same key, the higher the exposure risk.
Human Access: More administrators will have access to the key, increasing the probability of leakage through human error.

3. DNS-01 Validation Specific Risks

Risk: Renewal automation requires DNS provider API credentials.

Credential Exposure: If the server is compromised and DNS API credentials aren’t properly protected, attackers can gain full control over the domain.
DNS Control: Access to DNS credentials allows traffic redirection and record manipulation.

4. Revocation Impact

Risk: Revoking a wildcard certificate affects all services simultaneously.

General Disruption: All subdomains protected by the certificate become unavailable until complete replacement.
Vulnerability Window: The replacement process across multiple servers can create exposure periods.

Security Best Practices on Azion

To mitigate these risks when using wildcard certificates on the Azion platform:

1. Centralized Architecture

Edge Application: Use wildcard certificates only at the Azion Edge Application level, keeping the private key centralized in the edge infrastructure.
Reverse Proxy: Configure certificates at the load balancer or reverse proxy level, avoiding key distribution to origin servers.

2. Secure DNS Credential Management

Restricted Permissions: Configure DNS API credentials with minimal permissions, limited only to _acme-challenge records.
Regular Rotation: Implement periodic rotation of DNS API credentials.

3. Monitoring and Auditing

Certificate Transparency: Monitor public certificate transparency logs to detect unauthorized issuances.
Security Alerts: Configure alerts for unscheduled certificate changes.

4. Environment Segmentation

Specific Certificates for Production: Consider using individual certificates for critical production systems.
Development Isolation: Keep development environments with separate certificates.

Comparison: Wildcard vs. Individual Certificates

Characteristic	Wildcard Certificate	Individual Certificates
Convenience	High (one certificate for all)	Low (one certificate per service)
Security	Concentrated risk	Failure isolation
Key Management	Replicated key	Unique key per service
Compromise Impact	Affects entire domain	Affects only one subdomain
Operational Complexity	Low	High

Azion Recommendations

Azion recommends using wildcard certificates in scenarios where:

Centralized management is a priority
Subdomains are managed by the same team
A well-defined reverse proxy architecture exists
Security policies allow controlled key sharing

For environments with stricter security requirements, consider implementing individual certificates for critical systems, keeping wildcards only for lower-criticality services.

Final Considerations

Adopting Let’s Encrypt wildcard certificates, combined with Azion platform’s automated issuance, offers a robust and economical solution for simplifying certificate management. By integrating the DNS-01 challenge validation process with centralized DNS zone management in Azion Edge DNS, companies can achieve a more secure, efficient, and scalable infrastructure, minimizing manual interventions, optimizing resources, and reducing risks associated with Let’s Encrypt service issuance limits.

Frequently Asked Questions (FAQ)

Q1: What happens if the customer’s DNS zone isn’t configured in Azion Edge DNS?

A1: If the DNS zone isn’t active on the Azion platform, issuance automation won’t be possible and the validation process must be performed manually. It’s essential that the DNS zone is correctly configured to take advantage of automation.

Q2: How does automation ensure certificate security?

A2: Automated issuance eliminates the risk of manual failures in creating TXT records, ensuring that DNS-01 challenge validation is performed correctly and securely, maintaining the integrity of the renewal process.

Q3: How does automation reduce the risk of hitting Let’s Encrypt service limits?

A3: By using wildcard certificates to cover all subdomains, the Azion platform potentially generates fewer different certificates. This reduction in the number of issuances decreases the chance of exceeding limits imposed by the Let’s Encrypt service.

Q4: Can I track the status of certificate issuance and renewal?

A4: Yes, the Azion platform offers monitoring tools that allow you to track certificate issuance and renewal status through API and web console, facilitating the identification of possible problems and quick implementation of solutions.

Q5: How can I mitigate security risks when using wildcard certificates?

A5: To mitigate risks, use wildcard certificates only at the Azion Edge Application level, maintain DNS credentials with restricted permissions, monitor certificate transparency logs, and consider individual certificates for critical production systems. Azion’s centralized architecture helps reduce private key exposure.

This documentation was created to provide detailed understanding of how automated issuance of Let’s Encrypt wildcard certificates, integrated with the Azion platform, simplifies certificate management. By centralizing and automating the entire process, Azion enables companies to maintain secure and efficient infrastructure, reducing manual interventions and mitigating risks associated with issuance limits.