I usually get a cert for my public domain (root and usually with www. as a Subject Alternate Name (SAN)) and if I'm going to use subdomains I don't intend to become widely public, I'll add a wildcard SAN of *.example.com so I don't have to expose subdomains in transparency logs.
There's some security downside there if my web servers get hacked and my certs exfiltrated, but for a lot of stuff that tradeoff seems reasonable. I wouldn't recommend this approach of you were a bank or a government security agency or a drug cartel.
There's some security downside there if my web servers get hacked and my certs exfiltrated, but for a lot of stuff that tradeoff seems reasonable. I wouldn't recommend this approach of you were a bank or a government security agency or a drug cartel.