General question on certificate/sni

We’re running Pomerium and envision an eventual growth to support several-hundred (url) routes, each with its own unique certificate. Is there currently an upper limit on how many certificates/SNIs that can be configured?


Great question! There’s only really one configuration where Pomerium itself is handling the certificate generation for your routes, and that’s if you use the autocert configuration, and any of the optional keys that may accompany it.

This is the only case where Pomerium will be managing certs directly. Even then Pomerium is not issuing them, it’s reaching out to Let’s Encrypt on your behalf. So in this scenario, the limits are really set by Let’s Encrypt. They have strict rate limits, so if you have a lot of certificates you should try to stagger their implementation.

Related, if you’re on Kubernetes and using our Ingress Controller with cert-manager, you’d be subject to the same rate limits.

Now, if you have your own certificate solution and you’re providing the certificates to Pomerium through the certificates key there is, as far as I know, no limit to how many certificates you can provide. Of course, if you’re self-managing TLS for that many routes, you may want to consider consolidating with SAN certificates.