Rekey a certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version): mondial 102.0(build 24)

The operating system my web server runs on is (include version): linux

My hosting provider, if applicable, is: HostGator

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I don't know

I have been asked to rekey a certificate from Let's Encrypt and have been given a .CSR file. I'm not sure what to do with it to rekey the certificate. Any advice is appreciated.

Without the private key that corresponds to your existing CSR, you will need to generate a new CSR with all of the same SANs and a new private key.

I recommend using the following to extract the subject alternative names (SANs):


There is the possibility that whoever gave you the CSR is asking you to generate the corresponding certificate, in which case you would need to look at what options your ACME client has for accepting custom CSRs.

In general the process is:

  1. generate a new private key (.e.g. a large random number file that the holder will keep private)
  2. generate a CSR using this key and the list of domains that need to be included on the certificate
  3. use the CSR as part of your certificate order to the certificate authority.

It sounds like the person (presumably someone trusted in your organisation or hosting provider) asking you to "re-key" the certificate has already performed steps 1 & 2 and just want you to using the CSR to get a new certificate. So the question is, how did you get your certificate last time and did you use a CSR file? If you know that, then do the same using the new CSR file.

Note that most ACME client software doesn't use a pre-arranged CSR and instead they generate a new one for every renewal, so it's less common to be asked to manually use a CSR file directly except where you don't have control of the web server yourself.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.