2021-08-30 Going all the way with zerossl: requesting a certificate with multiple names 2 weeks ago
I assumed the free tier of zerossl doesn't allow for certificates with multiple names but I guess I assumed wrong, because I just got issued a certificate with multiple names. After debugging my earlier issues with zerossl and finding out I forgot the CAA record this time I tried a certificate with the subjectAltName extension in use with more than one name.$ openssl req -in httprenewable/webserver-devvirtualbookcase.csr -noout -text [..] Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:developer.virtualbookcase.com, DNS:perl.virtualbookcase.comAnd the certificate dance went fine with dehydrated:$ ./dehydrated/dehydrated --config /etc/dehydrated/config.zerossl -s httprenewable/webserver-devvirtualbookcase.csr > tmp/certificate.crt + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for developer.virtualbookcase.com + Handling authorization for perl.virtualbookcase.com + 2 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for developer.virtualbookcase.com authorization... + Challenge is valid! + Responding to challenge for perl.virtualbookcase.com authorization... + Challenge is valid! + Cleaning challenge tokens... + Requesting certificate... + Order is processing... + Checking certificate... + Done! $ openssl x509 -in tmp/certificate.crt -noout -text | less [..] X509v3 Subject Alternative Name: DNS:developer.virtualbookcase.com, DNS:perl.virtualbookcase.comThe /etc/dehydrated/config.zerossl has the EAB_KID and EAB_HMAC_KEY values set to the ones associated with my account. This means zerossl works as a complete secondary certificate issuer and I could switch over completely in case LetsEncrypt isn't available. Choice is good!