Flex certificates: Duplicate an SSL/TLS certificate

Industry standards change: End of 2-year public SSL/TLS certificates

On August 27, 2020, 6:00 PM MDT (August 28 00:00 UTC), DigiCert stopped issuing public DV, OV, and EV SSL/TLS certificates with a maximum validity greater than 397 days.

Now, 2-year public SSL/TLS certificate duplicates will have a max validity of 397 days. This means some duplicate certificates will expire before the order expires. To use the remaining validity included with the original certificate, request new duplicate certificates during the order's final 397-day period.

To learn more, see End of 2-year DV, OV, and EV public SSL/TLS certificates.

All DigiCert certificates include free duplicate certificates. However, when we started offering our flex certificates, we improved the duplicate certificates process. The new process enables you to do more so you can get the duplicate certificate that fits your needs. To learn more about the benefits of flex certificates, see Flex certificates.

Duplicate certificates never require DigiCert to revoke previous copies of your certificate.

Duplicate certificates to remove domains

With flex certificates, you don’t add domains when duplicating a certificate. Domains are added during the certificate reissue process. Instead, the flex certificate duplicate process is used to remove and rearrange the domains included on your duplicate certificate.

For example, let’s say you have a Basic OV TLS certificate with *.example.com for the common name and *.example1.com, app.example3.com, and example2.com as SANs. Because it’s a flex certificate, you can create these duplicate certificates:

Certificate Common name SANs
Original *.example.com *.example.com
*.example1.com
app.example3.com
example2.com
Duplicate 1 *.example1.com *.example1.com
Duplicate 2 app.example3.com app.example3.com
Duplicate 3 example2.com example2.com
app.example3.com

Reissue to add domains

If you want a duplicate certificate for a domain not on the the original or reissued certificate, you'll need to reissue the flex certificate to add the domain—see Reissue an SSL/TLS certificate. After you've added the domain and your certificate has been reissued, create a duplicate certificate that includes that new domain.

Wildcard domain duplicates

With wildcard domains, you're able to secure a domain and all its first-level subdomains. For example, a Secure Site OV certificate that secures *.example.com also secures add.example.com, my.example.com, app.example.com and so on. Instead of creating a duplicate certificate for *.example.com, you may want to create individual duplicate certificates for each subdomain covered by *.example.com.

Subdomains included as SANs on certificate

If the subdomain is already included as a SAN on the original or reissued certificate, create a duplicate certificate and move the subdomain to the common name field. Then, remove any unneeded SANs and submit your duplicate certificate request.

For example, let’s say you have a Secure Site Pro TLS certificate with *.example for the common name and sub.example.com, add.example.com, and my.example.com included as SANs. You can create a duplicate certificate for sub.example.com one for add.example.com, and another one for my.example.com.

Certificate Common name SANs
Original *.example.com *.example.com
add.example.com
sub.example.com
my.example.com
Duplicate 1 add.example.com add.example.com
Duplicate 2 sub.example.com sub.example.com
Duplicate 3 my.example.com my.example.com

Subdomains not included as SANs on certificate

If the subdomain isn't on the original or reissued certificate, you need to reissue the certificate and add the domain to the order—see Reissue an SSL/TLS certificate. After your certificate has been reissued, create the duplicate certificate for the subdomain.

For example, let’s say you have a Secure Site Pro SSL certificate with *.example as the common name. However, you want to get duplicate certificates for sub.example.com, add.example.com, and my.example.com.

To do this, you'll need to reissue the certificate and add sub.example.com, add.example.com, and my.example.com as SANs to the order. After your certificate is reissued, create duplicate certificates for sub.example.com, add.example.com, and my.example.com.

Certificate Common name SANs
Original *.example.com *.example.com
Reissued *.example.com *.example.com
add.example.com
sub.example.com
my.example.com
Duplicate 1 add.example.com add.example.com
Duplicate 2 sub.example.com sub.example.com
Duplicate 3 my.example.com my.example.com