With Certbot you can use
--force-renew. This applies to
certbot renew (to force renewal of all certificates) and also to
certbot certonly (to force renewal of an individual certificate).
I don’t remember if you can use
--cert-name to specify an individual certificate with
certbot renew to prevent it from trying to renew everything. @erica, did you happen to add that feature in work related to the aftermath of the CMIP project?
A kind of ugly hack would be to change
renew_before_expiry in all “old” certs to a value equal to or greater than the cert lifetime, which causes
certbot renew to want to renew that particular cert whenever it’s run, but not to change this in “new” certs. Then you can run
certbot renew at a controlled time—perhaps not every day—to cause all “old” certs to be renewed at once.