[SOLVED] Quick question re "changing" a cert's name

Hi there. I set up Let’s Encrypt via certbot yesterday; certbot 0.14.2, Ubuntu 16.04.3, nginx 1.12.1. All working fine. Qualsys SSL report gives the site an A rating.

My question: I have various domains all pointing to the same particular site, and a single certificate for all of them. That’s fine. For example, say it’s aaa.com, bbb.com, and ccc.com. Certbot automatically named the certificate with the alphabetically-first one (aaa.com), but I’d prefer the cert name to be my primary domain, say ccc.com (purely for aesthetics, and for visitors who know enough to at least check the cert info in their browser).

Am I correct in thinking that I must use “certbot certonly” to create a new cert, update my nginx configs to point to it, then revoke and delete the old cert? I skimmed the certbot user guide and didn’t find a way to update the displayed name of the same cert.

If the above is true, a second question: would the change in cert cause any visitor-facing issues, like browser warnings or such? Fairly new to this. Thanks very much for certbot and Let’s Encrypt.

Answering my own question: fixed by requesting a new certificate.

certbot certonly --nginx --cert-name ccc.com -d ccc.com -d aaa.com -d bbb.com

Then update any nginx site conf files to point to the new cert and key. Optionally, you can then use certbot to revoke and delete the old cert.

to answer your questions

A) Certificate Name is for tracking certificates on the file system it has not impact on what your users see when they go to your website.
B) When generating the CSR i believe that certbot will follow the -d order so the first SAN seen will be the first -d provided.

Not many people have a look at certs and those who do should know to check the SAN fields

Review the --cert-name flag: https://certbot.eff.org/docs/using.html#managing-certificates

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.