[eqvinox]

> I just put things under a subdomain of a domain I own

Yup, same here. Great in combination with ACME DNS-01 so your DNS server can request all those certificates and then push them out to your devices. (Otherwise the hostnames need to be externally accessible, which means either exposing the internal devices, or mucking around with split-view DNS. The former is a terrible idea, the latter is also DNS server complexity and worse than doing DNS-01 IMHO.)

[mdaniel]

IMHO if you are already doing some process of "push certificates out to devices," you'll likely be much happier with getting a wildcard cert using DNS-01 and change that update process from "all devices all the time according to their schedule" over to "all devices but once every 80 days"

I do appreciate the threat model of one device getting owned leaks all your certs but security is always a trade-off between security and convenience. It also lowers the load upon the LE servers, for what that's worth

[eqvinox]

Not sure everything updating at the same time is more "convenient" than staggered failures. For one, if multiple things break at the same time, it's easier to lock yourself out of things in more complicated ways. Also it's generally the first refresh that breaks, and everything at once only helps when you freshly roll out certs to a whole bunch of devices… if you add things incrementally (e.g. either because you finally get around to it, or you just bought something new) it makes no difference if it's all in the same cycle. Except now you have a wildcard cert floating around…