Let's Encrypt and EV certificates for different hosts in the same domain

It is possible to have multiple certificates from different vendors for different parts of the domain and even have overlapping certificates., i.e. multiple certificates which could be used to authenticate the same domain.

Browsers actually only care that a specific certificate is valid for the specific domain it is used on and don't care if the same certificate could also be used for other domains. They also only care that all content is served over HTTPS (i.e. no mixed content) but don't care if some content is served with a EV certificate while other content is served with DV certificate only.

Apart from that, I recommend to read Extended Validation Certificates are Dead to get a better opinion if EV certificates are worth their money at all.


Yes you can, with some caveats.

Normally, letsencrypt certificate are valid for a single FQDN. So you can create an domain-identified only (DV) certificate for static.example.com and an EV-identified certificate for your root domain.

Note be careful that another consideration applies when using wildcard certificate and some multi domain certificate. Some CAs (including LetsEncrypt) may issue a wildcard that will also be valid for the root domain because the CA may automatically add the root to the SAN (subject alternative name) even if you don't explicitly list your root domain when requesting the certificate (the CA can do this since wildcard certificate verification method requires that you demonstrate control/ownership of the domain's DNS). Check the SAN field of the certificate to be sure that your certificate are covering exactly what you expected and no more.

A couple security notes though, be careful of server settings that may apply to all subdomains, like certain Cookies and HSTS config.