How to split up a multi-domain certificate into individual certificates

I have a certificate that includes 1 domain and about 8 different subdomains. I’d like to split them up so each subdomain has it’s own certificate because I’m finding it difficult to manage the certificate, and when I want to add a subdomain I have to reissue the certificate with all of the subdomains again plus the new subdomain — unless there’s a way to add just one additional domain to an existing certificate? I don’t think there is.

To split them up so each domain and subdomain has it’s own certificate, do I need to revoke the main certificate first, then re-issue the certificates for each subdomain? As a test I created a new certificate for one of the subdomains and it was successful. But the subdomain is still also listed as a domain covered under the main domain certificate, too, so I guess that means I could use either certificate for that one subdomain if I wanted?


My web server is (include version): Apache 2.4.6
The operating system my web server runs on is (include version): CentOS 7.8
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site: No
The version of my client is: 1.7.0

Any change to a certificate requires the issuance of a new one.
So, there is no actual “add” to existing - it functions as replace existing with current and additional or less name(s).

For such few names individual certs would be fine.

To get there from here.
You could simply break off the names one at a time (into new individualized certs).
Until they each have their own certs and the ALL inclusive cert remains unused.
Then you can simply delete that unused cert.

1 Like

If you are handy with editing files, you could issue the new certs with certonly
Then edit the corresponding vhost config to use the newly created cert.
Rinse and Repeat until the ALL inclusive cert is no longer used anywhere in the config.

If you need help finding or verifying any part of what was mentioned, feel free to ask :slight_smile:
[it is difficult to gauge your expertise and or comfort in this area from the little written]

1 Like

No. You should never revoke a certificate unless it has been compromised. It is a waste of resources and will likely cause more problems than it will solve. Simply taking the certificate out of usage then removing the certificate (and its private key) will suffice. The suggestions from @rg305 are spot-on. I’ll just add a few pragmatic pointers to the bottom of this post to smooth the transition.


Absolutely. The tricky point here you should keep in mind is that each certificate is mapped to a single private key. The certificate is public knowledge, but the private key is not. Therefore, you should consider certifying based on the management of your private key. Duplicating a private key across instances (or devices) can be error-prone and create a security risk, not to mention pose a hassle in general. If you have a virtual (or physical) divide between your subdomains, that’s probably a good case for separate certificates. Having separate configurations for subdomains is also a very obvious reason why creating separate certificates can simplify your life.


Pointers:

  • Use certbot certificates to view your existing certificates, particularly to note the name of each certificate and the (sub)domains it covers.
  • Add --cert-name *name given/assigned to a certificate* to your commands to independently manage each certificate (e.g. adding, removing, or replacing subdomains or changing your acquisition or installation process for that certificate)
  • You can give a certificate a name yourself when you create it rather than having certbot assign one for you
  • Use certbot delete --cert-name *name* to properly delete a certificate
  • Keep in mind that renew operates on ALL of your certificates (so consider using --cert-name *name* if you want to only renew a particular certificate)
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.