Adding subdomains to existing certificate

Question

This seems like something that should be quite simple, but I don't know for sure so better safe than sorry.

I have created a certificate for mywebsite.com and www.mywebsite.com using https://gethttpsforfree.com/

I now want to add static.mywebsite.com, media.mywebsite.com, cache.mywebsite.com, and these point to S3 buckets on AWS.

I have a few questions about this process:

• Is it simply a matter of using the same account and domain private keys I generated last time, and creating a new Certificate Signing Request?

• If so, should the CSR have all domains/subdomains I want, or just the new ones?

• Since these point to S3 buckets, do I have to temporarily direct them to a webserver for the verification, or is there a way to verify on S3?

• Assuming no other problems, should I replace the existing public certificate on my Load Balancer with the new one and the existing domains will continue to work?

• When it comes time to renew, is it 90 days from today for all domains/subdomains, or is it 90 days for only the new subdomains signed today?

Answer 1

To put it simply: you can't update an existing certificate. Once a certificate request is signed, it's immutable. This is by design. You're correct about generating a new CSR.

So, request a new certificate, with all those names listed in a single CSR - including the [www.]mywebsite.com. When generating a CSR, I think you can reuse the same key pair as the old certificate had used (unless it's compromised, of course), but haven't really checked this myself.

I'm not sure about S3 - have only used it once and very briefly. If you can't put a file under /.well-known/acme-challenge/ for use with HTTP-based validation, you should either temporarily change those (problem with this: you'll have to break it whenever you'd need to re-validate), or try a DNS-based ACME validation (by creating a TXT DNS record).

Once a new certificate is issued, deploy it everywhere you've used the old one, and also where you need new names as well. When it's live (wait a few days to be safe), consider revoking the old cert since it's deprecated by the new one and you don't need to use it anymore.

You could also generate multiple certificates - one per domain (which would be a good idea security-wise if they're meant to be used by different servers each), but with Let's Encrypt you currently shouldn't. The problem is, Let's Encrypt has various rate limits on how many certificates they can issue to you, so the best approach for now is to ask for a single new certificate with all names listed. So, with many independent certificates you could find yourself in a situation where a certificate expires but you can't renew it.

However, consider generating a separate key, CSR and certificate (with multiple names) per SaaS service company or hosting provider. I.e. a separate one for Amazon and separate one, for, say, DigitalOcean. The idea is, if the resources with one hosting provider is compromised (e.g. someone gains access to your Amazon account) and your private key is leaked, the resources hosted with others can be still (hopefully) safe.

90 days lifespan are independent for each separate certificate. You just have to renew every certificate within 90 days after it was issued.

Let's Encrypt currently doesn't support wildcard certificates, so those are not an option. I'm unaware of any CA that gives out wildcard certificates for free, and I think they start from about $75-100/year. If your domain name set is static and changes only once in a while, there probably isn't much reason to pay when you can request a new free certificate once in a while (when you need a new name listed), set up automatic renewal (make a reminder once to see if it works) and forget about it. ;)