I created my SAN certificate successfull with the option to set a rsa-key-size. Certificate is installed and working successfull. Need to add a new domain. My question: do I have to set the rsa-key-size again or not?
System is running Debian.
my commandline to create the cert was:
$ certbot certonly --standalone --rsa-key-size 4096 -d domain.com -d domain2.com -d domain3.com
adding a new domain:
$ certbot certonly --standalone --expand -d newdomain.com
or do I have to add the key-size option ?
If someone could clearify this for me, I would appreciate.
Thank you.
If you want to use something other than the default key size for a new certificate, you either need to create a configuration file to specify new defaults, or use the command line option each time for new issuance.
I’m not sure how expansion works; if it uses the previous settings or the defaults. To be safe, I’d either explicitly specify the key size again, or make that configuration file if you want it to be the default for all future uses.
Keep in mind that renewal uses the settings specified at the time of issuance, including key size.
# certbot certonly --webroot --rsa-key-size 4096 --staging -w /path -d a.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for a.example.com
Using the webroot path /path for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/a.example.com/fullchain.pem.
Your cert will expire on 2017-05-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
# certbot certonly --webroot --expand --staging -w /path -d a.example.com -d b.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for a.example.com
http-01 challenge for b.example.com
Using the webroot path /path for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/a.example.com/fullchain.pem.
Your cert will expire on 2017-05-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
# openssl x509 -in /etc/letsencrypt/live/a.example.com/cert.pem -noout -text | grep Public-Key
Public-Key: (2048 bit)
Thank you for your information. Especially mnordhoff for running the test. Something new learned again.
To sum it up, if something others then the default settings are used at creating time, those custom settings have to be used for both, renewal and expanding the certs.
You’re right. You need to specify the size when issuing a new, expanded certificate. You just don’t need to specify it when running “certbot renew”.
So you are saying that i have to list all current domains and add the new one by using the “expand” option. There comes now a new question with it: Where do I place the expand option in the command ? Just before the new domain or list all the option and than list all the domains including the new one ?
