Certificate to new subdomain: expand or create a new one from scratch

I created a site and added a Let's Encrypt certificate to it (mydomain.com). I did that through my hosting provider (dinahosting) interface (a few clicks). I dont have root shell access here.

Now I want to create a subdomain. Lets say mysub.mydomain.com. That subdomain is hosted in another different machine where I do have root shell access.

My doubt now is:
Do I have to create a new different certificate from scratch? Or do I have to modify (expand) the original one? (In this last case, how?)
What is the easiest way in my case?


Welcome to the Let's Encrypt Community, Alfonso :slightly_smiling_face:

Since the subdomain will be hosted on another machine, it is best that you acquire a separate certificate for that subdomain on that machine. This will spare you the hassle and risk involved with transferring private keys now and in the future.


While I agree with @griffin in this specific situation, I'd like to point out that:

  • in general, it's not the best idea to "just" get a separate certificate for any subdomain for every separate server. There are rate limits in play and if you have many subdomains, you might run into the max. number of certificates per domain. While this isn't very likely for just a few subdomains and consequently just a few certs, I would like to point this out.
  • to follow up on the above point: the easiest way is not always the best way. While in your case it's probably very, very difficult to include the subdomain in your main domain because you don't have root on your main site and are at the peril of some kind of configuration panel, most of the time it's recommended to terminate TLS at one site with a single certificate for all subdomains and let a reverse proxy handle the delegation to subdomains on the different internal hosts.

I agree with both @griffin and @Osiris: get a separate certificate for the new (sub)domain on the new machine. This is the easy, recommended and most maintainable way of doing this.

If you have specific needs to use one certificate for machine (for example, you need to support non-sni clients) or you need to disseminate the certificate around because you have several tls terminators behind a load balancer, than your use is pretty specific and you're the only one that can know what's best for your use case.