Can I have two ssl certificates for one domain (single server)?

ramseth001 · January 8, 2020, 9:17am

Is it possible to have multiple SSL keys for one domain at one server?

Reason: When you renew an SSL certificate, you’re actually replacing the expiring one with a new one for all intents and purposes. Obviously you don’t want to uninstall the expiring certificate first, lest you leave your site unprotected.

Osiris · January 8, 2020, 9:22am

Yes.

And that's as much as an answer you're getting. See your other thread. You're giving too little information. So, a short question without enough information gets you a short answer I'm afraid.

That's not that obvious. Most services using TLS certificates will only start using the new certificate when the service is reloaded. So you can perfectly renew a previous certificate (which only takes a few seconds by the way...) and after the successful renewal, you'll reload the service. Most services (like Apache) have a "graceful" reload option, where a process which still has some useful work to do, won't be stopped until it has done all its work. Any process not doing anything useful will be stopped with a new process with the new certificate will be started.

Also, with most (if not every) renewal processes, there is no such thing as "uninstalling" a certificate first before the renewal proces.

ramseth001 · January 8, 2020, 10:15pm

Another reason I wanted to multiple keys is to have backup keys. How can I have multiple keys when renewing the certificate (certbot renew) will generate new set of keys, and move the old set of keys to the the archive folder?

My domain is: platute.com

I ran this command: sudo certbot certonly --standalone for installing

It produced this output:

My web server is (include version): Node JS v10.18.0

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

danb35 · January 8, 2020, 10:44pm

...and what is it you're hoping to accomplish with this? It isn't like keys are in short supply, or difficult or time-consuming to create.

ramseth001 · January 9, 2020, 3:55am

When configuring Public Key Pinning for iOS using TrustKit, the program is not compiling without a backup key. That’s the reason.

system · February 8, 2020, 3:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.