Advanced Certificate Management Strategies

Managing multiple domains and subdomains requires careful planning. Wildcard certificates cover all subdomains but require DNS validation:

# Obtain wildcard certificate
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com

# Using DNS plugin for automatic validation (CloudFlare example)
sudo apt install python3-certbot-dns-cloudflare
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.cloudflare.ini -d "*.example.com" -d example.com

For multiple unrelated domains, use Subject Alternative Names (SAN):

sudo certbot certonly --webroot -w /var/www/html \
  -d example.com \
  -d www.example.com \
  -d example.org \
  -d www.example.org

Implement certificate pinning for enhanced security (use with caution):

# Apache HPKP (deprecated but shown for reference)
Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains"