Create a certificate for domain without subdomain

I would like to generate a certificate for and not
Is that possible?


Without details ( what your OS is, what client you are using etc.) I can’t provide details though - hence my answer is rather lacking in specifics and detal, as your question :wink:

Hi Serverco,

Thanks for the response.

I have a certificate within it I registered the domains like,, but not without subdomain just

The DNS is pointing all to the same IP address.

I found out that some visitors are using just the domain without subdomain to visit our website.
So I changed apache conf to let also the traffic without domain thru.

That works except that the SSL certificate is not vallid in this case.

Ideally you want to generate a new certificate including all the domain names (,,, ) if I understand you correctly.

Yes. Can I change an existing certificate or do I have to create a new one?

You would register a “naked domain” ( the same way you you already registered the others. Just re-issue the cert and include as one of the SAN’s (subject alt names).

Thank yo all. I will renew the certificate

If you are using certbot then use the --expand option to expand the certificate to include the additional domain name.

Thanks for the tip! I will use the --expand option.
One more question I saw an example command in an other blog post with a naked domain.
It had a minus symbol before the name like -d
Do I have to put the minus symbol in front of the domainname?

no, not sure why it had that, If you can provide a link I’d be interested in seeing.

I tried to go thru the history of my browser to find that sample. But can’t find it anymore.
Anyway thanks for all the help.

As a reminder, currently in Certbot you need to list all of the domains (the old ones and the new one) when renewing this way. If you were to use only -d without mentioning the existing names, it wouldn’t work properly.

Using multiple -d hosts can associate multilple hosts with a single cert. Just leave off the to generate a cert for the bare domain.

letsencrypt certonly --agree-tos --email=your-email --webroot -w /var/www/html -d

Keep in mind, this can cause all manner of subtle problems depending on your Apache config + what terminal/final link your site uses (bare domain or www).

Also keep in mind, many tools + even some broken browsers will attempt prefetching www, if www has ever been referenced. This can also cause hard to debug problems.

Due to the bare domain + www complexities, most examples show bare domain + www using the same cert.

Unless you’re a Command Line Shell Savant, best use bare domain + www for your main site certs.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.