Certbot: Renew, reissue, or duplicate certificate using ACME URL query parameters
Anytime you request certificate automation with a third-party ACME client, DigiCert® Trust Lifecycle Manager searches for existing certificate orders, and if it finds one that matches, applies the default lifecycle action for that order.
You can also explicitly instruct Trust Lifecycle Manager to perform a specific lifecycle action for an existing certificate order, by adding the automation action type and order ID as query parameters to the ACME URL.
Notice
Trust Lifecycle Manager can automatically renew
and reissue
certificates for existing orders when applicable. See ACME automation actions.
To duplicate
an existing certificate, the certificate profile must have duplicates enabled, and you must include the automation action and order ID in the ACME URL.
Consider the following ACME URLs that include automation action and order ID query parameters:
https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=renew&orderId=555123456
Renew the certificate from order ID number 555123456.
https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=reissue&orderId=555789012
Reissue the certificate from order ID number 555789012.
https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=duplicate&orderId=555345678
Issue a duplicate of the certificate from order ID number 555345678.
The below examples illustrate complete Certbot client commands that include ACME URLs with added query parameters.
Renew the public trust certificate in order ID number 555123456 for domains
example.com
andwww.example.com
, using HTTP-1 for domain control validation and installing the renewed certificate within the local Apache web server:sudo certbot --apache --register-unsafely-without-email --eab-kid abcdef8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key EEEraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=renew&orderId=555123456 --config-dir /usr/local/certbot/my_other_public_webserver_config/ -d test.com -d www.test.com --preferred-challenges http
Reissue the public trust wildcard certificate in order ID number 555789012 for
*.my.example.com
, using DNS-1 for domain control validation and installing the reissued certificate within the local NGINX web server:sudo certbot --nginx --register-unsafely-without-email --eab-kid zcskpf8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key DDDraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=reissue&orderId=555789012 --config-dir /usr/local/certbot/my_public_webserver_config/ -d *.my.example.com --manual --preferred-challenges dns
Issue a duplicate of the public trust certificate in order ID number 555345678 for domains
test.com
andmail.test.com
, using HTTP-1 for domain control validation and installing the duplicate certificate within the local NGINX web server:sudo certbot --nginx --register-unsafely-without-email --eab-kid zcskpf8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key DDDraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=duplicate&orderId=555345678 --config-dir /usr/local/certbot/my_public_webserver_config/ -d test.com -d mail.test.com --preferred-challenges http
As usual, if the ACME automation request is valid, the resulting certificate gets automatically issued and installed for you.