Certbot and duplicating certificates the Digicert way

Hello community,

I'm trying to get an automated way, via certbot, to duplicate certificates. Digicert has a 'duplicate' option with its certificates, where you can order one cert and duplicate it (assuming the common and SAN names don't change). This is our case, as we have a wildcard cert that we deploy to a lot of different servers. The 'duplicate' feature is nice, as it effectively allows us to have the same cert on many servers, but each server would have it's own private key.

However, I'm running into roadblocks with this functionality and certbot. The --duplicate option that certbot has appears to only work with certs that it itself has generated. In this case I'll already have the origin cert created, so I don't believe this will work.

Does anyone have any experience with this or know if it's even possible? I know Digicert provides it's own API for doing duplicates, but I was hoping to have certbot manage the cert/renewals etc.

I'm using certbot version 1.10.1 on CentOS 7.

Welcome to the Let's Encrypt Community, Joe

While I understand what you're trying to do, I must warn you that you will likely face another problem should you go down this road...

You are limited to five duplicate certificates in any rolling seven-day period where a certificate is considered a duplicate if it contains the exact same SANs as another certificate, regardless of order. If you hit this limit, you will begin seeing the message too many certificates already issued for exact set of domains. This limit is enforced by Let's Encrypt, so switching from certbot to another ACME client will not bypass it.

Hey @griffin,

Thanks for the response! However, I'm not sure as that applies to me as I'm using Digicert as my CA, not LetsEncrypt. Digicert enforces a rate limit of 1000 requests per 5 minutes: https://dev.digicert.com/rate-limits/
I don't have 1000 servers, so I wouldn't think this to be an issue for me. Please correct me if I'm wrong.

Thanks again,

Joe

So... --duplicate creates a separate certificate entity within the certbot directory structure.

I would recommend using --cert-name name instead, like this:

certbot run --cert-name mycerta ...

This way, you can name all of your certificates and control them individually.

For example...

To renew all of them:
certbot renew

To renew a specific one:
certbot renew --cert-name mycerta

You can use the following to view your list of certificates to note their names:
certbot certificates

This will let you delete unneeded certificates:
certbot delete --cert-name mycerta

Keep in kind that certbot handles certificates as named entities, not just files.

If you're using a load balancer, I would highly recommend terminating SSL/TLS at the load balancer rather than at the individual worker nodes.

You can't just "duplicate" a certificate and change its private key. The certificate authority must sign the certificate, including the public key corresponding to the private key. It's not a local operation.

For example, an RSA private key contains a modulus (n), a public exponent (e), and a private exponent (d), among other things. The corresponding public key contains the modulus (n) and the public exponent (e). Since the modulus (n) depends upon both the public exponent (e) and the private exponent (d), it is not possible to have the private key vary while keeping the public key static (a.k.a. "pinning" the public key). Thus, when you use a different private key for a duplicate certificate, the public key will be different as well and the certificate authority will need to sign-off on associating that public key with your domain name(s).

Odd fact...

The public exponent (e) for the majority of RSA public keys in use on the internet is 65537.

Although this is a true statement, I'm not 100% certain that changing the private key is a requirement.
If so, then yes, there is a hard 5 limit; as they would be counted individually.
If not, then it is just the same single cert being used in multiple places.

@griffin and @rg305, keep in mind that @JoeLemaire is not using certbot to get the certs from Let's Encrypt but from DigiCert that also uses ACME implementation (but only for OV and EV, not DV certificates) and the limits are not the same, indeed, there are no limits to get duplicated DigiCert certificates, the problem is certbot doesn't implement a way to get those DigiCert duplicated certificates.

We all read (red) the same thing and yet we seem to have understood things in variously different ways.
If that is the case (to use certbot as an ACME client to DigiCert CA), then, yes, there is currently no direct equivalent process for --duplicate.

But maybe with some "creativity", certbot could be used to obtain and store new certs repeatedly.
The creativity comes in moving/storing them individually (without overriding any) and keeping the matching private key/public certs together.

====sample code - not real code====
set location to "A"
set desired count
set certs = 1

loop:

• if certs > count then break loop # until all certs have been obtained
• get a new cert
• store a copy of the current cert into current location
• increment location, certs

end loop:
===end sample====

[note: this example is clearly not written in any programming language - just English to convey an idea]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.