I have some doubts about the security and features of the system


#1

What happens if I loose the certificates that I used to request the certificate? Is it possible to go through the verification process again with new certificates?

In the event of a security breach on the server, is it possible to revoke the old certificates and create new ones using a different account?

Is it possible to dynamically add more domains to a SAN certificate, for example, by forcing a renewal?


#2

You can get a new certificate at any time, using the same procedure. Account keys are not permanently bound to domain names.

Yes. Revocation requires access to either your account key or your certificate’s private key, so make sure to have a backup of that in offline storage in case of a breach.

You can add domains at any point by adding additional -d example.com arguments to your client invocation. I’d also recommend --expand to make sure the client replaces the existing certificate file instead of creating a new folder in /etc/letsencrypt/live.

Adding domains to a certificate is no different from issuing a new certificate, so you’ll have to solve the challenge for all SANs again.

There’s a rate limit of 5 certificates per registered domain (TLD + 1 label) per 7 days, so you won’t be able to do that too often.


#3

So that means that if I want a SAN certificate for, let’s say, 10 subdomains of the same domain. I could only register 5 at a time and I would need to wait a week for the other 5. Am I right?


#4

No, you can have up to 100 SANs on a single cert. So combined you could have 500 in a week.


#5

No, you could (at the first attempt) get a single certificate will all 10 subdomains - which would count as 1 certificate ( with the limits of 5 certs / domain/ 7 days )

If you wanted to add the, one by one you would need to take a couple of weeks about it - but that is fairly pointless :wink:


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.