This is mostly dependent on SAN support (#37).
We would like to be able to:
- Issue a single certificate for multiple domains (SAN)
- Change the domains (add/remove) for the certificate over time
See the Certbot documentation on re-creating and updating existing certificates.
This complicates things in terms of identifying certificates. Currently txacme identifies certificates by "server name", which is currently (although doesn't have to be), the common name (CN). Once there is SAN support, a certificate can be uniquely identified by all its domains CN + SAN (although I'm not sure if the order of those domains matters). So, on the surface, identifying a cert by its SANs seems reasonable. The problem is once you want to change the SANs in a cert, then you have a new list of domains and can't identify the old cert.
The first two ways I can think of to solve this are:
- Identify certificates by CN. This then means that multiple certificates are not allowed with the same CN.
- Use some other user-specified identifier for the certificate. Something like Certbot's
--cert-name option (see Managing Certificates).
This is mostly dependent on SAN support (#37).
We would like to be able to:
See the Certbot documentation on re-creating and updating existing certificates.
This complicates things in terms of identifying certificates. Currently txacme identifies certificates by "server name", which is currently (although doesn't have to be), the common name (CN). Once there is SAN support, a certificate can be uniquely identified by all its domains CN + SAN (although I'm not sure if the order of those domains matters). So, on the surface, identifying a cert by its SANs seems reasonable. The problem is once you want to change the SANs in a cert, then you have a new list of domains and can't identify the old cert.
The first two ways I can think of to solve this are:
--cert-nameoption (see Managing Certificates).