> Then use a wildcard so none of leaks into cert transparency logs
You now also have to build infrastructure to distribute the wildcard from (presumably) central place where you generate it to all the different places where it is desired.
And hope the wildcard's private key does not leak from one of myriad of places it now lives.
well, I configure my services te request their own wildcard certs from a caching proxy acme to letsencrypt. Easy peasy.
I have a few Traefik instances that request wildcards independently of each other. Each with the same config, per server.
Leaking is an issue but we're talking about internal services too.