Different certificate for subdomain

I am using Let's encrypt certificate for a domain. I used the following command to generate the certificate:

sudo certbot -i apache -a manual --preferred-challenges dns -d www.XXXXX.in

I want to use a different certificates for subdomains. Please let me know how can I generate the certificate for a domain so that it will not effect the subdomain's certificate (to prevent the same domain certificate in subdomain).

Can you show, in an example, what it is you want to do?
Like:
cert #1 = www.XXXXX.in (ONLY)
cert #2 = *.subdomain.XXXXX.in (ONLY)

Yes, I need to use different certificate for domain and subdomain as well as domain's certificate should only work for domain.

Yes? Yes to the example?
Is that example exactly what you are trying to do?

I understand about you wanting two certs…
But I don’t understand when you try to explain it all in just one sentence:
In short - “I need diff certs: 1 for purpose A and 1 for purpose B as well as A’s cert should only work for A”
Regardless if A and B are similar certs (or not), Cert A will always only work for purpose A and only A.
You may be trying to describe some “overlap”, but I’m just not understanding.

Please try to show exactly what you want more clearly.
As I did in my example.
Include as much detail as possible.

If you just run Certbot once for each domain, it will issue separate certificates.

sudo certbot -i apache -a manual --preferred-challenges dns -d b.example.org
sudo certbot -i apache -a manual --preferred-challenges dns -d a.example.org

Will result in separate certificates

/etc/letsencrypt/live/b.example.org/fullchain.pem
/etc/letsencrypt/live/a.example.org/fullchain.pem

Thanks for your response!!

Sorry, I went into a wrong way. My problem is totally different, for example:

I have a domain named, lets call it example.org and it has 6 different sub domains for different purpose, which are as follows:

1. a.example.org
2. b.example.org
3. c.example.org
4. d.example.org
5. e.example.org
6. f.example.org

So I want to generate one Let's encrypt certificate to authorise all the subdomains SSL connection. Can I get the required certificate after running the following command:

sudo certbot -i apache -a manual --preferred-challenges dns -d example.org

sudo certbot -i apache -a manual --preferred-challenges dns \
-d a.example.com -d b.example.com -d c.example.com -d d.example.com \
-d e.example.com -d f.example.com

If you are using DNS validation, you may also choose to just issue a wildcard, which will be less validation steps and work for any subdomain:

sudo certbot -i apache -a manual --preferred-challenges dns \
-d "*.example.com" -d example.com

so the above command should work for me?

It does not work. giving following error:

Wildcard domains are not supported: *.example.com

Wildcard certificates are supported in the latest Certbot versions. If you can, upgrade: https://certbot.eff.org

Otherwise, you can try the other variant (listing every domain without wildcards) that I suggested.

@Amit_Raj if you want to issue a wildcard cert and your certbot version is 0.22.x or 0.23 you need to specify the API v2 server:

sudo certbot -i apache -a manual --preferred-challenges dns
-d '*.example.com' -d example.com --server https://acme-v02.api.letsencrypt.org/directory
1 Like

Will the following command work for me or not?

sudo certbot -i apache -a manual --preferred-challenges dns -d example.org

That command won't issue a wildcard cert, only a cert covering example.org but whether it will work or not... try it.

The base domain certificate covering example.org is not a wildcard certificate and does not apply to subdomains. As others have explained, you can request a wildcard certificate only using the ACMEv2 server and a newer version of Certbot.

If you know all of the subdomains ahead of time and you simply want to list them in a single certificate, you can use the form that @_az gave

This works with older versions of Certbot and produces a certificate covering six specific subdomains, rather than a wildcard.

Using -a manual like this can be inconvenient because it won't support automatic renewal (when the certificate is going to expire, you'll have to run the same command again and perform the same authentication steps manually again).

I need to generate a wild card certificate for a single domain and I used the above command but it is giving me the following error:

Wildcard domains are not supported: *.example.com

Please help me to generate a wild card certificate for a domain.

@Amit_Raj please show:
certbot --version

Maybe @sahsanu's post could have been more explicit on this point:

... if your certbot version is older than that, your version of certbot is completely incapable of requesting a wildcard certificate and needs to be upgraded to a newer version.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.