And use a wildcard cert so that all your services don't get proved due to cert transparency logs.