Is is necessary to revoke a certificate before adding a new subdomain?


#1

If a certificate has been issued that contains two subject alternative names example.org and foo.example.org and one would want to add www.example.org.
Would it be necessary to revoke the certificate first before generating a new certificate with all necessary subject alternative names?


#2

No, you don’t need to revoke the existing cert.

If you are using certbot, then you simply use the “–expand” flag to expand the existing cert to include the additional www domain.


#3

@serverco cool, that’s exactly what I did and it seemed to do what I wanted it to do. I was wondering if there was more magic happening beneath the surface though? (automatic revocation and reissuance?)


#4

Nothing magic happening really - it simply issues a new certificate with the new domain names. The old certificate would still be valid ( up to its expiry date ) but since the revocation process is largely broken ( as a general concept in browsers, nothing to do with LE ), and the old certificate is still securely on your server there is no point / benefit in revoking it.


#5

Thanks for clarifying!


#6

Maybe worth spelling out here, revocation is not about saying “I don’t want/ need this certificate any more”, it’s a mechanism (and as serverco says, one that doesn’t work very well today) to actively distrust that certificate because something went wrong, typically the private key material for the certificate has been stolen or the cert was issued to people who don’t or shouldn’t control the name.

Imagine Paul has a certificate from The Royal Institute of Foozle Surgeons, saying he’s your man for Foozle surgery. If Paul retires doesn’t want to do any more Foozle surgery, no problem, there is nothing wrong with the certificate. If Foozle surgery is obsoleted by a new tablet that cures problems with your foozle in ten minutes, again no problem with the certificate. BUT if the Institute finds out that Paul lied, had people write up fake paperwork and so on to get his certificate and he’s got no idea where the Foozle even is, then they’d want to revoke that certificate and tell anyone who asks that it’s not legitimate.


#7

@tialaramex, I appreciate the analogy!

To extend it slightly, if the Institute finds out that Paul is no longer good at performing the surgery (maybe his eyesight is failing or something?), they may also want to revoke it even if they still believe that it was completely valid at the time it was issued.

The analogy is a bit strained here, but Paul might also choose to have the certificate invalidated upon retirement due to a fear that someone will break in and steal it and proceed to impersonate him to perform quack foozle treatments, trading on his good name. How necessary this is depends on the plausibility of someone’s actually doing so. Someone might consider this an unrealistic risk and not feel any urgency or importance in it. The Royal Institute is certainly not likely to actively investigate whether Paul is still practicing or not.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.