Need advise expanding cert with key-size


#1

I created my SAN certificate successfull with the option to set a rsa-key-size. Certificate is installed and working successfull. Need to add a new domain. My question: do I have to set the rsa-key-size again or not?
System is running Debian.
my commandline to create the cert was:
$ certbot certonly --standalone --rsa-key-size 4096 -d domain.com -d domain2.com -d domain3.com

adding a new domain:
$ certbot certonly --standalone --expand -d newdomain.com

or do I have to add the key-size option ?

If someone could clearify this for me, I would appreciate.
Thank you.


#2

If you want to use something other than the default key size for a new certificate, you either need to create a configuration file to specify new defaults, or use the command line option each time for new issuance.

I’m not sure how expansion works; if it uses the previous settings or the defaults. To be safe, I’d either explicitly specify the key size again, or make that configuration file if you want it to be the default for all future uses.

Keep in mind that renewal uses the settings specified at the time of issuance, including key size.


#3

Well, let’s see.

# certbot certonly --webroot --rsa-key-size 4096 --staging -w /path -d a.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for a.example.com
Using the webroot path /path for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/a.example.com/fullchain.pem.
   Your cert will expire on 2017-05-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
# certbot certonly --webroot --expand --staging -w /path -d a.example.com -d b.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for a.example.com 
http-01 challenge for b.example.com
Using the webroot path /path for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/a.example.com/fullchain.pem.
   Your cert will expire on 2017-05-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
# openssl x509 -in /etc/letsencrypt/live/a.example.com/cert.pem -noout -text | grep Public-Key
                Public-Key: (2048 bit)

motoko was right.


#4

hi turbo

letsencrypt certs are valid for 90 days you can change the keys (RSA sizes or going for elliptical curve) at renewal times :slight_smile:

This is one of the advantages of the 90 day renewal cycles - you can change your security posture and adjust the certs after :smiley:


#5

Thank you for your information. Especially mnordhoff for running the test. Something new learned again.

To sum it up, if something others then the default settings are used at creating time, those custom settings have to be used for both, renewal and expanding the certs.

Thank you again.


#6

The settings ought to be remembered when you renew with “certbot renew” though.


#7

For the renewal, that is correct. But I was “expanding” (adding new domains) the cert, when looking in my post

adding a new domain:
$ certbot certonly --standalone --expand -d newdomain.com

I hope I am not mixing up


#8

You’re right. You need to specify the size when issuing a new, expanded certificate. You just don’t need to specify it when running “certbot renew”. :smile:


#9

When using “expand” remember you need to include all the domains in the list, not just the one you want to add.


#10

So you are saying that i have to list all current domains and add the new one by using the “expand” option. There comes now a new question with it: Where do I place the expand option in the command ? Just before the new domain or list all the option and than list all the domains including the new one ?


#11

I don’t think the positioning matters, but I always put it before the list of domains. so if your original was

certbot certonly --standalone -d domain.com -d domain2.com -d domain3.com

then you would add the extra “newdomain.com” with

certbot certonly --standalone --expand -d domain.com -d domain2.com -d domain3.com -d newdomain.com

If you didn’t include all the original domains, it wouldn’t know which certificate you wanted to expand :wink:


#12

Thank you for the clarification. Now I am ready to get it proper.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.