I have an existing wildcard certificate. Just as an example, let's say it is for domain.com (so, it includes domain.com and all sub-domains, *.domain.com).
Can that certificate be expanded to include other domains and wildcard domains within the SAN?
For example, can I include things like:
domain2.com
*.domain2.com
domain3.com
*.domain3.com
If so, how does one do that for an existing cert?
Welcome to the Let's Encrypt Community! 
If by "expand" you mean "acquire a new cert covering the original and additional domain names" then yes. Certificates cannot be modified once issued. A certificate cannot cover a subdomain that is already covered by a wildcard within the same certificate.
Right. I was thinking about how to do an entirely fresh request to get a new wildcard SSL. From the perspective of certbot, does it only need to do the DNS challenge against the domain that is on the certificate and other domains included within the SAN wouldn't also need that challenge? So, for example, just requesting with multiple domains:
-d domain.com -d *.domain.com -d domain2.com -d *.domain2.com
and the DNS key/challenge would need to be updated within the appropriate entry for the first domain listed (within domain.com)?
You would need to validate any domain names without cached validations (on LE's servers), which means it's possible to "piecemeal" the validations to "build" a certificate.
How does one "incrementally validate" multiple domains?
Of course, I'd be interested in automation and easier renewal (given the 90 day lifespan of the certificates).
If there are 3 domains (one "main" one and two others included within the SAN), there is a need to do a type of DNS validation-per-root-domain for those included within the SAN?
I've started with "easywildcard" docker implementation with a single domain: GitHub - Fmstrat/easywildcard: A single-command docker container that makes it easy for anyone to utilize a wildcard SSL certificate from Let's Encrypt.
I'm trying to balance getting 3 separate wildcard certificates (one per each domain) vs just getting one and the "two others" referencing them in the SAN (since I'm the host for all three anyway).
Is the answer that, even with use of SAN, there is still a need to do a DNS-01 update for each of those sub-domains? How would I get the appropriate record(s) to publish in order to demonstrate I control each of those root domains within an automated process?
I am pretty sure Certbot does all the validations at once. If those domain names are all managed by the same account at your DNS provider it should work fine.
If those names are somewhere else then you could do tricks to make Certbot get that to work although might be hard to automate renewals.
There are other ACME Clients that serialize the requests so different DNS providers could be used.
You could just try it and see using --dry-run like
sudo certbot certonly --dry-run -d (name1) -d (name2) ... (and your dns plugin options)
--dry-run will not affect existing certs
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.