2 SSL Certs for the same domain

I have a question regarding an domain with an Letsencrypt Cert which we want to put behind Akamai.

Is it possible to have a second Letsencrypt Certificate for the same Domain (they need to have their own private Key) temporary or even permanent?
If it's possible are there restriction on domain validation (HTTP token / DNS token / URL redirect)

You can process up to 5 identical certificates per week.

2 Likes

So does this mean you can have the certificates for the same domain active for 1 week and after 1 week the "old" cert is revoked by Letencrypt or can you have the certificates for the same domain active till the expiration date of the certificate?

1 Like

You can have multiple active certificates, as long as you stay within the rate limits. Revocation only happens if you request it, or if there is some larger incident on the Let's Encrypt side (like these ones) meaning that they weren't supposed to issue that cert at all.

2 Likes

Jonathan and Peter, thank you for the quick response and the help.
Last question, can I use any of the domain validation methodes for the certificates or are there restrictions when you have certs for the same domain?

2 Likes

The only restriction between the possible challenges and hostnames in a certificate is that a wildcard certificate requires the dns-01 challenge. No other restrictions apply.

3 Likes

Just clarifying @petercooperjr's response:

The 5 Duplicate Certificates Per Week is an API Rate Limit, based on a 7 day rolling window. The Certificates are not revoked and have 90 day expiries - so you can conceivably request 5 identical Certificates every week within those 90 days and they are all active.

Doing that, however, is generally an anti-pattern. You should re-use Certificates across servers whenever possible.

Can you share more details about this need? I didn't really think of this before, but this is generally odd and there might be an anti-pattern involved in your use-case we can help you get past. There aren't many situations where someone would need to have 2 active identical Certificates with different keys - but there are some edge cases where it is definitely necessary.

3 Likes

On the Akamai CDN/DDOS platform, when generating the CSR you can't download the private key. This is maintained within the Akamai Platform. You can also not upload a Private Key if you would have generated the CSR somewhere else. So the only possibility in this case is to have 2 certificates for the same domain. We put Akamai in front of websites to protect them against DDOS attacks. The easiest way to set this up is to forward the request to the website with the same domain name. This requires to have 2 certificates with the same domain name to be active, one on Akamai and the other on the website.

2 Likes

Ah, okay. You're also using Akamai for DNS and routing too, right? (e.g. a client may be served from their edge network or your origin depending on their location).

I haven't used Akamai in a while, but assuming you plan on submitting their CSR to LetsEncrypt for issuance, I suggest looking into ACME-DNS (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.). If you haven't heard of it, it's an API based DNS system designed to complete LetsEncrypt authorizations. After zone setup, you delegate your _acme_challenge records to the acme-dns server, and it automates most of the process. This lets you run Certbot, or another ACME client, on an office computer to obtain the Certificate -- which you can then deploy onto Akamai (or your servers) manually or through scripting.

3 Likes

Presuming that Akamai isn't also issuing LE certs via DNS-01 authentication.
[or they would both be fighting over the same TXT record]

Note: I don't use Akamai nor do I have any knowledge of whether they issue LE certs at all.
Nevertheless, a potential conflict might exist.

2 Likes

Why? Usually, it's perfectly possible to have multiple TXT records for the same hostname.

Not when one of them needs that record to be a CNAME - LOL

1 Like

That could be a problem indeed.

1 Like