Problem with renew DV SAN in Akamai


Sometime I would like to add domains for DV SAN in Akamai and expected that I should only validate the new domains I added.

But in fact I validated all domains including some was existing before in some cases.

It is hard for me to validate all domains in the cert when I just need to add a few SAN since I have a lot of domains.

May I have any suggestions why this situation was caused?



When you add a SAN to an existing certificate, it means the CA need to issue a new certificate containing all existing SANs in the previous one + ones you newly added.
CA/B Forum's regulation requires certificate authority to validate the domain ownership every time a certificate is issued, so that's why you are required to validate all SANs included in the certificate.
This requirement apply to all CAs, not just Let's Encrypt.

I'm not sure what other options you would have, but if you don't want to re-validate all hostnames, maybe the best option is to add an additional certificate for the additional SANs.

CA/B Validation of Domain Authorization or Control states:

The CA SHALL confirm that prior to issuance, the CA has validated each Fully‐Qualified
Domain Name (FQDN) listed in the Certificate as follows ......
Completed validations of Applicant authority may be valid for the issuance of multiple
Certificates over time. In all cases, the validation must have been initiated within the
time period specified in the relevant requirement (such as Section 4.2.1 of this
document) prior to Certificate issuance.

Document reference:
CA-Browser-Forum BR 1.7.4

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.