Hi,
i am using certbot --certonly utility to renew / issue certs. I have mutiple SAN list which consists around 8 names.
command: certbot certonly kid=xxx key=xxx --server "https://xxx/" --config /cert/cert.conf --cert-name "x1.com" -d "x1.com" --key-type "rsa" --rsa-key-size 2048 -d "x2.com,x3.com,x4.com,x5.com,x6.com,x7.com,x8.com,x9.com,x9.com" --webroot -w /cert/certbot-certs
I believe Let's Encrypt uses the first SAN entry as CN. They did change this behaviour some time ago though, but I thought they reversed that decision? In a post on the Certbot Github repo @jsha said:
Update on the community thread: at Let's Encrypt we're going back to the old behavior for now (first SAN from CSR promoted to Subject CN instead of alphabetically-first SAN). But we still plan to push towards no-Subject-CN issuance for almost everyone, and eventually for everyone.
It might be tough to find out Digicert's issuance policies from the Let's Encrypt Community Forum.
I think this is an interesting thing to understand and document, including about other CAs, but it's unlikely that people here will know the answer offhand. There are Certbot developers here who can tell you about Certbot behavior, but the content of the issued cert is ultimately determined by the issuer, not the requester.
Correct. That's why @webprofusion suggested to generate and provide your own CSR with CN. Although I don't recommend Certbot using a separate CSR, as that behaviour is very different from other Certbot modes of operation and e.g. cannot be renewed automatically IIRC.
It may be easier to fix whatever system is requiring a particular CN, than to try to coerce certbot and Digicert to giving you that CN. The industry is moving toward trying to get rid of having any domain name in the CN entirely.
I have to ask....
For this specific purpose, do you really need a cert that covers multiple names?
[if you request a cert with only one name, then the CN is guaranteed]