With the advent of easy, free Let's Encrypt certs and IE8 not being a problem anymore, I'm planning on enabling SSL on an Apache server with thousands of host names. Does Apache scale? Switching Apache to something else is not an option at this point.
My first tests indicate that service apache restart and actually serving pages are quick with a few thousand of self-created certs and their intermediates.
Are there some caveats I should be aware of? I'm worried that a possible scaling bottleneck would only come in actual production, when it's a bit late to roll-back to a "no, we don't have such certs" situation.
PS. Are there no shortcuts to generating a conf file with a list of <VirtualHost> ... CertificateFile (besides mod_macro)? I'm thinking of something like a "Just find all the certs in /etc/letsencrypt/live/" directive.
While there are limits, you can use a multi-site certificate (a certificate with alternate names). Multiple sites can use the multi-site certificate. This is well supported by Let's Encrypt.
Each site using SSL needs to be linked with the appropriate certificate. If all sites use the same certificate, it can be configured in the global configuration rather than on a per site basis.
If you have multiple certificates on a single IP address, clients that don't support SNI may run into issues with the certificate name depending on which site the connect to.
While you can have a directory containing certificates you trust, there is no mechanism to select a certificate from a list of certificates. I have never seen a tool that allows this.
You may be able to write a script that reads the site(s) a certificate supports and update the appropriate site configuration(s) with the location of that certificate. This would likely be simpler if you use an include directory to configure your sites. (Debian/Ubuntu use a sites-enabled directory to activate sites which are defined in a sites-available directory.) A good naming standard would make this simpler, but the required data should be in the apache virtual host definition.