I have seen several topics relating to this but none that actually provide a solution, ie run certbot-auto with this flag, etc
I am using letsencrypt to serve multiple SSL virtualhosts on apache, the certificates are being generated and work correctly. I am being asked from my boss to have the Subject Name be our organization hdesd.org (which is one of the VHosts) instead of the alphabetically first one centraloregonstem.org. Is this possible and how do I accomplish this task? We have a working existing cert and are running the certbot-auto renew via cron.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Sorry but I don’t know if I understood what you need.
Are you talking about the CN (Common Name)?
or are you talking about the order of SAN?
If it is the second one, the answer is no, these names are sorted alphabetically and you can do nothing to override it.
If you are talking about the common name (CN), yes, you can define what is the domain name included in the certificate that will appear in the common name field, the first domain in the certbot command will be used to fill the common name.
In this case, the common name will be centraloregonstem.org:
Yes it was the first one, the Common Name. So thank you!
So now that I have the existing cert and they are all still valid, how do I replace it? I never had to list the domains, it just scanned the virthosts defined in /etc/httpd/conf.d/ folder, so do I have to enumerate all of them now? And do you know if that will stick through the certbot-auto renew cron job or do I need to modify that job as well?
You can issue the same command you used, but this time add the -d parameters for every domain you want to include in the cert, and the first one will be the one used to fill the Common Name. If you issue the same command with the -d domain1 -d domain2 parameters, etc. certbot should detect that another cert with the same exact domains is already issued and will ask you if you want to renew and replace and you should select that option.
Yes, you don’t have to change anything in your cron job, it will renew your certificate and Let’s Encrypt will respect the common name.
Note: Before trying anything, please, backup /etc/letsencrypt/ dir just in case.
Both kinds of issuance are counted in the same way against the totals. The only difference is that reissuance won’t be blocked by the certificate per registered domain rate limit (but it does count against it).
As far as I know, a reordered certificate should be counted as a renewal and hence not be blocked by this rate limit.
That’s right. CAs are required to include the Common Name in the SAN field too. That way clients can ignore the Common Name field entirely. (Clients usually don’t ignore it, though, because enterprise CAs don’t always hold themselves to the rules of public CAs.)