Certificate Settings

Certificate entries have the following settings:

Name:

A short name for the certificate

Description:

A longer string describing the certificate

Status:

Whether this entry is active

Active:

This entry will be processed manually and by the Cron job (General Settings)

Disabled:

This entry will be ignored

Acme Account:

The account key ACME will use when requesting the certificate (see Generate an Account Key)

Private Key:

The key length of the private key for this certificate. Can be either RSA or ECDSA in several pre-defined sizes. Select Custom to manually enter a private key generated elsewhere

2048-bit RSA is an acceptable default choice, but larger keys are more secure

Preferred Chain:

If the ACME CA provides multiple trust chains, this field allows the user to choose an alternate preferred chain. This utilizes a case-insensitive substring match to locate a chain.

Domain SAN List:

A list of all domain names which will be included in this certificate as Subject Alternative Name (SAN) entries.

SAN entries can use the same or different update methods. Each SAN must be individually validated by the ACME server before it will issue or renew a certificate.

Note

The ACME server may limit the number of SAN entries. For example, Let’s Encrypt limits a certificate to at most 100 SAN entries.

Mode:

Whether this SAN is active in the certificate

Domain Name:

The domain name for a SAN entry in this certificate (e.g. www.example.com)

Method:

The method used by ACME to validate ownership of this domain. Method settings are described in (Validation Methods)

Click fa-plus Add for additional SAN entries

DNS Providers also have some common settings which appear for all types:

DNS Alias:

An alternative domain name used by the validation process. Instead of updating the DNS record for Domain Name directly, the package uses this domain name is used instead. See DNS Alias Mode for details.

DNS Alias Mode:

When set, controls whether the DNS alias mode used is Challenge Alias (Unchecked, Default) or Domain Alias (Checked). See DNS Alias Mode for details.

DNS-Sleep:

The amount of time the ACME validation process will wait after making DNS changes before attempting to validate. Some DNS services take a few minutes to propagate entries after making backend changes.

The default settings are typically sufficient, but slower providers may require a longer sleep time.

Actions List:

Commands to run after the package renews a certificate.

Mode:

Whether this action is active.

Command:

Full path to command and arguments, service name, or name of script.

Method:

Defines how the Command is executed by the package.

Shell Command:

The Command is a full path to a shell command and its arguments.

PHP Command Script:

The Command value is run as PHP code.

Restart Local Service:

The name of a local service to restart.

Restart Remote Service:

The name of a remote service to restart via XMLRPC. This utilizes the system XMLRPC sync configuration.

The GUI help text for this option includes several examples of common actions.

Certificate Renewal After:

When the package will attempt a renewal for the certificate. Default is 60 days (2 months).

Note

Certificates issued by the Let’s Encrypt service are valid for a maximum of 90 days. When using other ACME servers, check with the provider to find its default and maximum validity intervals.

Tip

The best practice is to attempt renewal at around two-thirds of the certificate’s total lifetime. That way, any problems renewing the certificate can be resolved before it expires.