When adding a new domain to the existing SSL SAN Certificate, how would it affect sites that were using the SAN Certificate [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 8 years ago.

Improve this question

When adding a new domain to the existing SSL SAN Certificate, how would it affect sites that were using the previous SAN Certificate?

My logical sense is telling me that it will be be able to serve https requests or throw a security warning indicating the certificate being invalid.

Answer 1

As long as a certificate isn't revoked (or doesn't expire), it will be valid for all the SAN names for which it was issued. If another certificate is issued for a set of hosts that overlaps the ones used in a previous certificates, both will be valid for their respective hosts.

Whether a CA chooses to invalidate a previous certificate it has issued within the same account for a similar set of hosts depends on its own policy, but in principle, you could easily get another certificate for the same hosts from a different CA anyway.

This being said, it seems that you're using a single certificate (and a the same private key) across multiple machines, for hosts that don't seem related (at least in the sense that they are served by distinct machines anyway). This is normally considered bad practice, since if one of those machine was compromised, you would have to change the certificate on all the machines.

Answer 2

FYI, as advised by Digicert that adding domains to the existing certificate will not revoke the certificate and should allow the existing one to continue to function as it was before.

Answer 3

HTTPS:// is not support for all the SAN names you remove from certificate and it cause SSL security error or warning for the removed domain names.