Skip to content

Renew a certificate for multiple domains

Jump to bottom
Oleksandr Porunov edited this page Jul 21, 2018 · 8 revisions

This scenario describes step-by-step how to renew the certificate for the following domains:
example.com, www.example.com, admin.example.com and www.admin.example.com.

Requirements:

  • PJAC

As in scenario 1 our CA is Let's Encrypt and PJAC is executed on the same machine as the webserver serving the domains runs on. Again, we use HTTP01 authentication in this scenario. The webserver is configured to serve content over HTTP (port 80) for all above mentioned domains from a single document root /var/www/. The files and subdirectories in /etc/pjac/ that were generated/made in scenario 1 are still there.

In this scenario, we assume that our CA uses a lifetime of 90 days for certificates and 60 days for validated certificate orders. The certificate was generated 70 days ago, so the certificate order for the domains have been expired and the certificate has a remaining lifetime of 20 days before it expires.

Note that these expiration times may vary between CA's and will be subject to change. Because the ACME protocol is designed for full automatic certificate issuance, CA's will aim to shorten the lifetime of certificates as that limits damage from key compromise and mis-issuance.

  1. Request a certificate order and download HTTP01 challenges:

    java -jar acme_client.jar --command order-certificate -a /etc/pjac/account.key
  -w /etc/pjac/workdir/ -c /etc/pjac/example.com.csr 
  --well-known-dir /var/www/.well-known/acme-challenge --one-dir-for-well-known

    For each domain name a new challenge file is downloaded and saved to the directory /var/www/.well-known/acme-challenge.

  2. Verify the challenges:

    java -jar acme_client.jar --command verify-domains -a /etc/pjac/account.key
  -w /etc/pjac/workdir/ -c /etc/pjac/example.com.csr

    The domains are now authorized again.

  3. Generate new certificate and download it:

    java -jar acme_client.jar --command generate-certificate -a /etc/pjac/account.key
  -w /etc/pjac/workdir/ --csr /etc/pjac/example.com.csr
  --cert-dir /etc/pjac/certdir/

  4. Done. The following files in the directory /etc/pjac/certdir/ should be renewed:
    cert.pem,
    chain.pem and
    fullchain.pem

Home

Getting started

Usage

Command reference

Option reference

Example scenarios

Troubleshooting

Clone this wiki locally