Reissue certs without expanding?


How would I issue each domain its own cert without expanding an existing one?

So how it is now:


How can I have it so each domain has its own cert without extending an already existing cert?


That would depend on the client used, the version of said client et cetera et cetera…

But you didn’t mention that information and my crystal ball is still in the paranormal repair shop after it fell of my desk a few days ago, so I can’t answer your question I’m afraid.


Sad to hear about your crystal ball, I hope they can fix it!

I’m using apache2 and cerbot.


Which version?

Because from, IIRC, version 0.10 (or 0.11) the --cert-name switch was introduced. That would make things much easier by just specifying a cert-name of your choosing and just specify a single hostname with -d.


Oh cool, I didn’t know that was a thing.

Thank you.


You could also just run certbot with a single -d option. If certbot finds an existing certificate with the same hostname in it, you should be able to choose to “replace” the existing certificate. But that would obviously remove the other domains, so those will be broken until you issue new certs for them.


This is actually still not true even after the introduction of --cert-name: to select certs with -d, you always need to specify all the existing names in the cert. Otherwise, you will get a new certificate lineage.


Uch, still don’t have the hang of it… Sorry, thanks for the clarification!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.