Need advice: Server owner created multiple certificates with multiple domains in each cert

Help
1

Mostly this is a request for advice.

My domains are at least:
corliss.rcousins.com
danacummin.com
deskhenge.com
gracecousins.com
grace.rcousins.com
hewittfarm.com
mail.rcousins.com
rcousins.com
smithie.com
www.danacummin.com
www.deskhenge.com
www.gracecousins.com
www.hewittfarm.com
www.rcousins.com
www.smithie.com
www.wychwoodfarms.com
wychwoodfarms.com
And probably more to come.

I ran this command:
certbot certificates

It produced this output:
Found the following certs:
Certificate Name: danacummin.com
Serial Number: 4dfe9adbdc5e60cf92b3ed62851df6c7d78
Key Type: RSA
Domains: www.danacummin.com danacummin.com
Expiry Date: 2021-05-07 18:55:16+00:00 (VALID: 43 days)
Certificate Path: /usr/local/etc/letsencrypt/live/danacummin.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/danacummin.com/privkey.pem
Certificate Name: deskhenge.com
Serial Number: 44394e726caa846fb7a988eaaa0d5d9803f
Key Type: RSA
Domains: deskhenge.com www.deskhenge.com
Expiry Date: 2021-05-07 19:10:20+00:00 (VALID: 43 days)
Certificate Path: /usr/local/etc/letsencrypt/live/deskhenge.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/deskhenge.com/privkey.pem
Certificate Name: grace.rcousins.com
Serial Number: 45c5c18d6dd6a67030a6833448dc9f142d6
Key Type: RSA
Domains: danacummin.com corliss.rcousins.com deskhenge.com grace.rcousins.com gracecousins.com hewittfarm.com mail.rcousins.com rcousins.com smithie.com www.danacummin.com www.deskhenge.com www.gracecousins.com www.hewittfarm.com www.rcousins.com www.smithie.com www.wychwoodfarms.com wychwoodfarms.com
Expiry Date: 2021-05-19 19:02:39+00:00 (VALID: 55 days)
Certificate Path: /usr/local/etc/letsencrypt/live/grace.rcousins.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/grace.rcousins.com/privkey.pem
Certificate Name: gracecousins.com
Serial Number: 40dd29b7bbade0cb0107a417e9a75555bcb
Key Type: RSA
Domains: gracecousins.com www.gracecousins.com
Expiry Date: 2021-05-19 19:15:05+00:00 (VALID: 55 days)
Certificate Path: /usr/local/etc/letsencrypt/live/gracecousins.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/gracecousins.com/privkey.pem
Certificate Name: rcousins.com
Serial Number: 4b6da10c72e60a5ac123b18288b97b014d7
Key Type: RSA
Domains: rcousins.com www.rcousins.com
Expiry Date: 2021-05-05 17:25:40+00:00 (VALID: 40 days)
Certificate Path: /usr/local/etc/letsencrypt/live/rcousins.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/rcousins.com/privkey.pem
Certificate Name: www.danacummin.com
Serial Number: 487fb171a2ccbe59ced3da6fc950ce3537c
Key Type: RSA
Domains: www.danacummin.com
Expiry Date: 2021-05-10 18:40:49+00:00 (VALID: 46 days)
Certificate Path: /usr/local/etc/letsencrypt/live/www.danacummin.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/www.danacummin.com/privkey.pem

My web server is (include version):
Server version: Apache/2.4.46 (FreeBSD)
Server built: unknown

The operating system my web server runs on is (include version):
FreeBSD corliss 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC amd64

My hosting provider, if applicable, is:
Stubborn.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.10.1

My friend is sort of being a web host for several of his friends, and is in the process of moving their websites from an antique virtual machine to something currently supported.

He wants ONE certificate with all of the relevant domains in it (note that there may be more to move over, I forgot to ask). However that's not what he got.

It's been a while since I've played in this end of the pool, and would like advise and help in cleaning this up.

What I think I should do to go forward is:

  1. Create a new certificate with a generic name that will contain all of the domains he wants to cover.
  2. Revoke, then delete all the old certificates
  3. Create a script for him that will allow him to "add domains" to the certificate (not sure the exact steps here, delete old certificate, then create new one with larger list?)

Does this seem like the right way to clean this up?

2 Likes
2

Welcome to the Let's Encrypt Community, Christopher :slightly_smiling_face:

Up to 100 SANs (domain names) can be included in a certificate. This results in all of them sharing a private key. It is recommended to separate the domain names to prevent needing to generate a new certificate to add/remove a domain name from the mix. It also makes debugging certificate acquisition much easier.

No need to revoke any certificate unless its private key has been compromised. Just delete the certificate (and especially its private key). See the animated advice I've presented.

See my prior advice.

1 Like
3

Ok, so to summerize:

  1. Do not put discrete domains in the same certificate because you need to generate a new certificate every time.
  2. Do a "# certbot delete <certificate>" for the existing certs.
  3. For each group of domains ( e.g. [rcousins.com, www.rcousins.com and grace.rcousins.com], [ [danacummin.com, www.danacummin.com] etc.) get a separate certificate and manage them separately.
  4. Generate a separate key pair for each group and delete the old ones.
2 Likes
4

Correct. :slightly_smiling_face:

1 Like
5

While I agree with @griffin that it's probably a good idea to have multiple certificates for groups of hostnames, as already specified, I think it's good to also tell that it's not fully wrong to add everything to a single certificate. For example, CloudFlare clusters (or clustered, not sure if they're still doing it) many, MANY totally unrelated hostnames for many, MANY customers into single certificates. Another argument against multiple certificates is that the most likely reason for private key disclosure (which would be a reason to revoke a certificate, which is unfortunate if all sites would be affected) I think is a breach in the security of the server. E.g., your server gets hacked or exploited somehow and you can't guarantee the private key wasn't disclosed to other people. If something like that happens, it doesn't really matter if all hostnames have a single private key or you've got 20 certificates with 20 private keys: in such a server wide incident, all of those 20 keys would need to be revoked!

So, bottom line is: there's not really a "good" or "wrong" here.

2 Likes
6

Although @Osiris has pretty much rounded out the explanation, I wanted to add that you probably do want to remove the entire letsencrypt folder structure from any system being decommissioned due to private keys and corresponding certificate signing requests (CSRs) being stored in various folders within the folder structure.

As for the stacking of domain names in a single certificate, there has been much contentious debate on the topic. In an overhaul (still pending approval) that I wrote a couple of months back of the official rate limits page, there was quite a bit of discussion from both the staff and long-standing members (@Osiris included) about some wording related to this topic. Most don't even know there is already the following wording in the current version:

Note: For performance and reliability reasons, it’s better to use fewer names per certificate whenever you can.

Rest assured though, as @Osiris already mentioned, in the words of Hector Barbossa this advice "is more what you'd call guidelines than actual rules".

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.