Add domain to csr-created UCC/SAN-cert



Ive started up using Let’s Encrypt certs for my portal, which has an expanding number of domain name aliases. When I started up, I read up on the different options for Certbot. I chose between standalone mode and webroot, but went with standalone to start with, since the portal is proxied through a pair of Apache servers.

Since then I’ve begun to set up ProxyPass for the .well-known calls from both proxies to a separate Apache server to be able to use webroot instead.

When I did the first certificate, I used a csr, since I had a list of ~60 domain names for the portal. Now though, I’d like to do two things:

  1. Add a new domain to the SAN cert

  2. Set up automation for the renewal.

I don’t have root on the apache server, but I do have full write access to a folder which is read by Apache with Includedir (for vhost entries and other configuration), as well as /var/www/html (the web root)

I’m basically stuck at the step of extending my current certificate. All documentation I can find speaks about how to extend a certificate where I’ve given all the domains on the command line.

  • Is there a way to extend a csr-created certificate?

I also have some questions for the automation.

  • When certbot has renewed a certificate, how long do I have to replace the old one, if the cert-bot machine is different from the outward facing servers?

  • Is the old certificate invalidated immediately or does it expire gracefully so I have a day at least to replace the certificates on the proxies?


Please fill out the fields below so we can help you better.

My domain is: multiple domains

My operating system is (include version): CentOS 6

My web server is (include version): Apache 2.4.6

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


Certbot’s “expand” feature only really makes sense in scenarios where Certbot is managing the lifecycle of the certificates and making its own CSRs rather than using ones supplied by you. “Expand” really behind the scenes means basically “Go get a completely new certificate, but ensure the file naming is the same as for the old certificate so that it doesn’t change any of my configuration”.

With your current practice Certbot takes no interest in the lineage of certificates, it takes one CSR, it helps Let’s Encrypt validate your control over the names requested, and gives back a working certificate. So, to switch to a system where Certbot manages everything it would be best to start over. Expanded certificates aren’t different from ordinary ones in any way, in fact Let’s Encrypt the actual service has no idea what “expand” even is, only the Certbot client tool uses this nomenclature - as far as Let’s Encrypt is concerned, every single certificate it issues is completely fresh and independent of all the other certificates it’s issued.

Some people have to use a CSR because they have an appliance and can’t change the private keys inside it. The appliance gives them a CSR, they supply it to Certbot, and that’s the only way they can work. Since you can just change the private key files for Apache, it probably makes sense to use Certbot in its more normal and readily automated mode. Having previously used CSRs won’t interfere with this at all.

Now, on your other questions: Let’s Encrypt will not automatically mark old certificates as superseded when you request new ones. Without further action, the old certificates will remain valid until they would naturally expire. So, if you renew all certificates 30 days before they’d expire (as Certbot will by default if it’s managing everything and asked to do any “renewing” once a day) then you have 30 days to solve any validation problems and deploy new certificates. If you choose instead to renew only 7 days before expiry, you’ll have 7 days.


So, there’s no connection between the limit on certificates for the same domain and the “extend” functionality?

I still have to pay attention to how many times I’ve added a new domain name to SAN certificate to avoid a lockout for the older names?


There’s no connection, correct. If you need to keep issuing a lot of certificates such that the limits would impinge you may need to consider other approaches to your problem, and in some cases (because the rates are too high) you might need to find a different CA. If you explain more about the names and how often you add or remove names, someone might have relevant advice about how to best stay inside the limits.


I don’t need to issue a lot of certs (less than 10 SAN certs), nor add to them very frequently (less than 5 domains / week). We are however three people that work together on this and I need to make sure that we don’t lock each other out if there would be a temporary spike in changes. That’s not a Let’s Encrypt problem though :relaxed:

Thanks for the explanations. I’ll read up on the limits again and if I have more questions I’ll return here.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.