I’m setting up a web server with Public Key Pinning, and the best practice to do so is to keep a private key and certificate signing request (CSR) offline, with the CSR in your pin list, in case you need an escape hatch and need to get a certificate somewhere you didn’t put in the rest of your pins.
Let’s say I need a certificate that is signed for both example.com and www.example.com. I know how to generate a key, and generate a CSR with a single common name, and then how to get certbot to generate a certificate from a CSR.
But what if I want more than that common name, and I want the two domains I listed above? How would I generate that CSR with OpenSSL so that certbot could generate a single certificate with both names as SANs?
Does certbot/LE automatically add the apex domain when signing a www subdomain, like some other CAs do (eg. RapidSSL)? Or would I have to use instructions like this to generate the CSR?
There are 2 ways of dealing with subdomains that also utilise TLS on your site. You can have each domain issue its own unique HPKP policy that specifies the fingerprints for identities to be used on that domain, or, you can issue a HPKP policy at the top that will cascade down all subdomains by using the includeSubdomains directive. Each method has advantages and drawbacks.
So to answer your question no certbot has no way of knowing what your subdomains are therefore it is not able to create automatic subdomains
You may ask why no www. - well that’s a good question. The main problem with validations is each subdomain has to be validated. Users may not have a www. subdomain or may have another service provide SSL certificates for it.
Generally it’s hard to guess what people do. As an example look at the amount of trouble people have with the apache plugin (which should be a fairly consistent setting) so not taking guesses is a good approach
If you want to have an "offline spare" with HPKP, you can pin a hash of a CSR but not of a private key. The CSR having the owner info, what domains it's valid for, and the public key. You can then get any CA to sign that cert and include expiry info with it, and it would be trusted by people who have your old pinning list.
That's a good explanation for why an ACME-based CA wouldn't grant certs for extra domains, thank you. I suppose other companies can do it because they just email the WHOIS contact and, once they establish domain ownership, they'll put whatever subdomains you want (including wildcards).
Yes. You can obtain a certificate for an existing CSR, which means you may generate your own CSR using your own private key. However, certbot will not accept a private key as input and generate a CSR for you.
I think the easiest thing to pin is the intermediates (let’s encrypt) meaning that you can always issue a new certificate if a certificate is compromised without having to worry about keeping backup keys etc
