Oh, yeah, this has ‘smrt’ written all over it. Besides the fact that under any other circumstance, practically, you can generate a CSR from the CLI, your control panel (if applicable) and the tools online to create these for you simply by entering your domain. The CSR can be sent to any trusted CA for validation. Save the .key in a safe place. When the authority approves the cert, as long as you’ve saved the private key that came with your CSR, you’re good.to install that sucker practically anywhere. I refer clients to this generator from DigiCert if they’re not as familiar with openssl on the CLI.
Can you not use a standard “openssl req -new -newkey rsa:4096 -nodes -out bull_shite_domain.csr -keyout bull_shite_domain.key -subj…$etc” if you want to have LE provide a multiSAN just like with the big boys in the industry?
If your original certificate was canceled/revoked, generate a fresh CSR and start over, especially if the CA couldn’t validate your client’s operational existence. That’s not the kind of thing I’d pass around with every validation failure. Both LE and the Symantec lines have been in the spotlight for abusive/unsavory usage and/or improper validation. Just like when you reissue a cert from a trusted authority. The CSR and key will change completely before reissuing even starts.
No disrespect, but if you’re still learning the ways of SSL/TLS and how certificates are issued, I’d suggest learning the method by which every other CA performs domain validation rather than starting with a peculiar situation with an even more peculiar 'authority."
I’m out, baby! I’m out!