I have a server that is used for staging purposes. I am a new admin to this server and there isn't a lot of documentation on how things have been previously managed.
This server has an R12 and R13 cert. I notice they have the same friendly name.
Certify the web manages the renewal of the certs. Renewing once the certs have reached 75% of expiration time. While monitoring renewals, I noticed that it has renewed R12 and not R13.
The R13 cert will expire at the end of December. Is this going to cause a problem? or will everything be fine as long as R12 keeps renewing.
I am new to this whole domain of server certs so forgive any misunderstandings.
Let's Encrypt randomly selects an intermediate certificate when issuing a certificate. So frequent alternating between R12 and R13 (the currently active RSA intermediates) is normal and expected.
Your ACME client should (and will) renew the leaf certificates ("your certificate") when they approach their expiration - typically at around 2/3 of the leaf's lifetime, although this depends on the ACME client.
A renewal is technically the same as issuing a new certificate. Therefore, the certificate chain may change at every renewal.
The R12/R13 certificates are both still valid until 2027, there's no impeding expiration there.
It sounds like you may have two certificates (possibly for the same domains?). If that's the case you may not need one of the certificates and you can remove it/let it expire. As long as the certificates in active use are being renewed on time, everything is fine.
lets encrypt uses two Intermediate CA with RSA keys, currently R12 and R13.
you can't force one of them, they are picked randomly on issueing a new end cert.
Please note: Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
On Windows there is a certificate store (held in the registry) where the certificates are kept and associated with an encrypted-at-rest version of the private key file, and certificate bindings tend to use the thumbprint of the cert as the reference instead of referring to files on disk. So instead of replacing files on renewal the thumbprint reference to the current cert (binding) is updated.
By default Certify Certificate Manager will cleanup old instance of certs from the store when they expire rather than just on renewal, so it's normal for the store to have more than one cert for the same domain.
It's worth adding that with Certify The Web there is dedicated private support available (hi!) through support at certifytheweb.com for licensed customers and you can ask questions there any time, especially if it's something specific to that app or if you feel it's something that is more confidential than a public forum is suited for.