Can we add or delete domain in one cert?


#1

So here is the scenario, suppose we have created one Cert for 20 different domains (cross domains) like example1.com ,example2.com , example3.com upto example20.com
now after 1 month (before we renew) can I

  1. Add example21.com in same cert ?
  2. Remove example15.com and example16.com ?

also reply if there is possibility to achieve this at a time of renewal, I will be using certbot.

Thanks in advance :slight_smile:


#2

Yes, changing the domain coverage of your certificate on a monthly basis would be totally fine. It is only if you did it many times per week that it would become an issue due to rate limits:

You can drop domains that no longer work at renewal time with the --allow-subset-of-names option, but this is dangerous: you could accidentally drop domains that are supposed to work that way.

To explicitly add or remove domains you have to run the command to issue a new certificate again, but certbot will use it to replace the old certificate if you pass the --expand option.


#3

Strictly speaking, it will replace the old certificate with --expand if you have a strict superset of the previous certificate’s names. In general the way to control this is to specify the certificate’s name with --cert-name and then make sure that you list all of the names that you’d like to be covered by the new certificate with -d options. If that list is not identical to the existing certificate’s coverage (or if it is and the old certificate is within its renewal period), you’ll get your new certificate in place of the old one.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.