Many domain name with one certificate name

I maintain a web server which is running many named apache virtual hosts. I’m in a process of moving one site by one to another server.

I was going to revoke the certificate for one virtual host and get the new one in the other server, however I realized that we have only one --cert-name and many domain names are registered under it. Is there a way to just revoke or delete one domain name without affecting the other?

Thanks in advance.

Nope, that is not possible because of the way that revocation works. The revocation affects the entire certificate. The content of an individual certificate can't be changed after it's been issued.

The certificate does not have to be revoked in order to obtain a new one with the same or similar certificate coverage. Certificates with different information related to the same domain names can coexist and don't interfere with one another's validity (a certificate essentially says "this key is valid for these names", not "this key is the only key that's valid for these names" or "this key is only valid for these names"). Let's Encrypt is willing to issue overlapping and partially overlapping certificates with concurrent validity.

So, the easiest thing to do would be just to get a new certificate on the new server that covers the exact set of names that you want it to, and then start using that. (If you're using the HTTP-01 challenge, you do have to change over the DNS first, which might cause some site downtime. This shouldn't be a problem if you're using the DNS-01 challenge.) This won't invalidate the old certificate, and doesn't require revoking it. Usually revocation is only used when there is a reason that the contents of the old certificate have become inaccurate, or when there's a reason to believe that the associated private key may have been accessed by an unauthorized party.

The "one by one" part is a bit tricky because it suggests not having a single moment of DNS cutover. Nonetheless, you could get a new certificate with the coverage that you want on the old server and then copy it onto the new server, or you could copy the old certificate onto the new server and stop using it there. A certificate also does not mean "these other sites must only be served from the same IP address" or "these other sites are currently available at this IP address" (only DNS A, AAAA, and CNAME records convey that kind of information to clients).

1 Like

Thank you for the information! I’ll look into those options.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.