Skip to main content

Certbot: Renew, reissue, or duplicate certificate using ACME URL query parameters

Anytime you request certificate automation with a third-party ACME client, DigiCert​​®​​ Trust Lifecycle Manager searches for existing certificate orders, and if it finds one that matches, applies the default lifecycle action for that order.

You can also explicitly instruct Trust Lifecycle Manager to perform a specific lifecycle action for an existing certificate order, by adding the automation action type and order ID as query parameters to the ACME URL.

Avviso

Trust Lifecycle Manager can automatically renew and reissue certificates for existing orders when applicable. See ACME automation actions.

To duplicate an existing certificate, the certificate profile must have duplicates enabled, and you must include the automation action and order ID in the ACME URL.

Consider the following ACME URLs that include automation action and order ID query parameters:

  • https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=renew&orderId=555123456

    Renew the certificate from order ID number 555123456.

  • https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=reissue&orderId=555789012

    Reissue the certificate from order ID number 555789012.

  • https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=duplicate&orderId=555345678

    Issue a duplicate of the certificate from order ID number 555345678.

The below examples illustrate complete Certbot client commands that include ACME URLs with added query parameters.

  • Renew the public trust certificate in order ID number 555123456 for domains example.com and www.example.com, using HTTP-1 for domain control validation and installing the renewed certificate within the local Apache web server:

    sudo certbot --apache --register-unsafely-without-email --eab-kid abcdef8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key EEEraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=renew&orderId=555123456 --config-dir /usr/local/certbot/my_other_public_webserver_config/ -d test.com -d www.test.com --preferred-challenges http
  • Reissue the public trust wildcard certificate in order ID number 555789012 for *.my.example.com, using DNS-1 for domain control validation and installing the reissued certificate within the local NGINX web server:

    sudo certbot --nginx --register-unsafely-without-email --eab-kid zcskpf8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key DDDraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=reissue&orderId=555789012 --config-dir /usr/local/certbot/my_public_webserver_config/ -d *.my.example.com --manual --preferred-challenges dns
  • Issue a duplicate of the public trust certificate in order ID number 555345678 for domains test.com and mail.test.com, using HTTP-1 for domain control validation and installing the duplicate certificate within the local NGINX web server:

    sudo certbot --nginx --register-unsafely-without-email --eab-kid zcskpf8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key DDDraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=duplicate&orderId=555345678 --config-dir /usr/local/certbot/my_public_webserver_config/ -d test.com -d mail.test.com --preferred-challenges http

As usual, if the ACME automation request is valid, the resulting certificate gets automatically issued and installed for you.