Out of curiosity, I tried:
$ openssl x509 -in pi.hole.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
dc:cc:ae:cc:ac:d9:ee:32
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = MN, L = Minneapolis, OU = Domain Control Validated, CN = noads.dehakkelaar.nl
Validity
Not Before: Jan 10 19:32:10 2018 GMT
Not After : Jan 8 19:32:10 2028 GMT
Subject: C = US, ST = MN, L = Minneapolis, OU = Domain Control Validated, CN = noads.dehakkelaar.nl
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:8e:d0:ca:1d:28:80:1b:b0:6a:1c:11:6e:c3:
14:d7:55:e2:36:dd:5a:81:31:1a:fc:fb:6c:d4:6d:
63:2d:73:5e:2e:95:88:cf:9d:2f:71:3e:5d:a5:0c:
1d:89:42:1a:a5:9c:1c:a8:b4:fc:2e:d4:2b:13:35:
8d:ca:9d:3d:37:c2:c6:47:c5:69:df:f9:55:81:38:
59:71:96:a2:8b:7b:db:2b:8b:91:22:fd:f7:67:aa:
c0:c5:10:37:b8:6d:10:de:4b:83:33:ec:67:0a:4b:
66:44:d3:a0:43:52:ae:22:c4:0a:68:ee:ea:04:7f:
32:ae:d0:33:63:b2:ff:48:af:a6:44:57:bd:2a:7a:
35:ba:28:c7:c9:9a:9b:68:17:7e:04:50:dd:ad:f2:
93:a4:4f:f9:cc:94:de:ea:d8:00:c1:a3:d1:6d:bc:
e0:55:cb:e6:8a:f2:0d:32:3c:0f:18:06:ef:ad:2f:
87:7d:70:f5:0f:ae:7a:91:6a:cf:95:77:ab:37:24:
ed:39:74:bb:89:12:46:1d:26:38:c2:b2:0d:a7:0a:
1c:7c:3c:55:14:f3:e4:2c:d0:b7:ed:8c:96:51:4d:
b5:34:e9:a6:74:0e:d6:1e:3c:91:32:be:eb:4c:9f:
a4:9a:51:1b:3a:02:22:7d:75:4c:60:fe:0b:89:ab:
4f:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:pi.hole, DNS:0.0.0.0, DNS:0000mps.webpreview.dsl.net, DNS:0001.2waky.com, DNS:000dom.revenuedirect.com, DNS:000free.us, DNS:000info.com, DNS:000owamail0.000webhostapp.com, DNS:000security-center00.000webhostapp.com, DNS:001wen.com, DNS:005.free-counter.co.uk, DNS:006.free-adult-counters.x-xtra.com, DNS:006.free-counter.co.uk, DNS:006.freecounters.co.uk, DNS:0075-7112-e7eb-f9b9.reporo.net, DNS:007angels.com,
.
.
.
DNS:zyski-z-innowacji.pl, DNS:zytpirwai.net, DNS:zyv.tiziana.ru, DNS:zy.zeroredirect1.com, DNS:zzbroya.com.ua, DNS:zz.cqcounter.com, DNS:zzdsfy.com, DNS:z.zedo.com, DNS:z.zeroredirect1.com, DNS:z.zeroredirect2.com, DNS:z.zeroredirect.com, DNS:zzha.net, DNS:zzhomes.com, DNS:z-ziraatmobil.xyz, DNS:zzmyw.com, DNS:zzpxw.cn, DNS:zzqrt.com, DNS:zzqwaxxybf.info, DNS:zzshw.net, DNS:zzsyw.com, DNS:zztxdown.com, DNS:zzz.clickbank.net, DNS:zz.zeroredirect1.com
Signature Algorithm: sha256WithRSAEncryption
38:b4:e8:45:ee:f6:e2:18:fa:aa:2d:37:37:36:4c:c8:fd:d7:
3a:4b:a2:2f:88:c6:dc:ec:7f:92:74:1a:ea:12:0a:6d:ef:89:
da:6a:6e:78:6f:29:86:b5:56:96:f7:f0:4b:b3:41:95:d5:83:
eb:0d:1b:20:1e:43:8e:6f:ab:78:e7:c4:7d:a0:b4:ff:21:fb:
af:39:00:ca:3c:73:30:10:d5:cc:05:8e:05:ea:7e:24:17:6e:
18:1b:0b:f4:43:69:3f:a9:b2:31:9d:3b:05:d0:34:cf:ee:79:
2d:a1:3b:e1:37:3c:da:f8:f8:32:6b:71:64:e4:d2:bf:7b:e2:
60:7f:50:33:2f:0e:ce:cc:2d:33:87:bb:03:41:e4:d7:80:da:
a9:1f:f6:10:cc:e1:1e:cd:26:e3:96:a7:bb:de:6a:db:23:ac:
a9:23:39:b5:db:63:9f:ae:5f:14:1a:fa:d7:d4:46:5b:81:d9:
10:53:86:42:ee:2d:ee:f7:40:26:32:a4:a1:0a:70:91:c8:91:
bf:bd:6d:66:43:64:4d:d0:c2:ad:6d:de:0c:4b:ed:eb:b7:95:
8c:cc:0a:df:df:fe:9e:75:86:81:82:75:1a:6e:33:24:0b:3e:
e7:08:ed:a6:7f:e3:df:01:a7:bb:e3:6a:a9:08:7e:1d:72:a7:
c5:96:78:10
If I add a few alternative names I can get it to work but as soon as I add all 100k of domains:
$ echo | openssl s_client -connect pi.hole:443 2>/dev/null | openssl x509 -text -noout
unable to load certificate
1995384224:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE
And a browser gives me "SSL_ERROR_RX_MALFORMED_HANDSHAKE".
The pem is a bulky 3.4MB:
$ ll -h pi.hole.*
-rw-r--r-- 1 pi pi 3.4M Jan 10 20:32 pi.hole.crt
-rw-r--r-- 1 pi pi 3.4M Jan 10 20:31 pi.hole.csr
-rw------- 1 pi pi 1.7K Jan 10 20:31 pi.hole.key
-rw-r--r-- 1 www-data pi 3.4M Jan 10 20:32 pi.hole.pem
With only a few alternative names, I got the cert presented but of course a browser warning because it isnt trusted 