Together all certificates all spearated by domains


#1

What is preffered to have one certificate for all domains or multiple certificates for each domain (without and www.domain and perhaps 2.domain …)
I have LAMP Kubuntu, I think it would be easier and faster to make one script:
#!/bash/bin
/opt/letsencrypt/letsencrypt-auto --apache -d www.domain -d domain -d 2.domain
/opt/letsencrypt/letsencrypt-auto --apache -d www.domain2 -d domain2 -d 2.domain2
/opt/letsencrypt/letsencrypt-auto --apache -d www.domain3 -d domain3 -d 2.domain3
Would that be best way?

What is the max time before expiry of certificate that I can request new one (I know for 7 days wait time/5, but is there any difference if I request each month for new certificates or try to remember expire date for 3 months?

Why aren’t the certificates 3.1 and are just SSL 3.0?

Do I really need to check for certificates if are they generated correctly?


#2

Your one script as written would give you 3 certs, each with 3 domains. That seems fine. I usually keep sub domains on their own cert. I only ever combine www.domain and domain. But it’s probably whatever suits your environment best.

There is no max time before expiry. You can renew to your hearts content prior to being rate limited. I setup my cron jobs to run at the 2 month mark. To allow time for any oops’.

SSL 3 vs 3.1 (TLS 1.0) is not a function of the cert itself but of the cipher suites your web server is configured to offer and what you can support, as per your server / OpenSSL versions. SSL is deprecated. You should be offering only TLS 1.0-1.2 (some suggest even eliminating 1.0 if you can without cutting off your audience).

I would always check my certs upon issuance to be sure you’re good.