Thanks for your response!
The documentation says that “enhance” is supposed to “Add security enhancements to your existing configuration”. So is the “–must-staple” enhancement misnamed? It sounds like you’re saying all it’s supposed to do is enable stapling on the server. That is a very different thing from Must Staple.
I’m not following on the distinction between a new certificate and a renewed certificate. A renewal is the issuance of a new certificate, is it not? Why can’t the renewed certificate have the Must Staple flag set? I don’t see any reason it can’t.