Hello Community
Imagine I have a webserver with 4 sites. These Sites belong to different clients. Two Certificates come from Let’s Encrypt and two from Digicert. I have successfully added the 4 accounts under the Certificate Authority Settings.
Now where can I choose the account when I request the Certificate? In the Managed Certificate Settings under Certificate → Advanced → Certificate Authority I can only choose the CA but not the account to use when requesting the certificate.
Thank you for your help!
Kind Regards
Mike
Hi Mike,
There is (currently) no concept of matching certificates to different organizations ACME accounts within the app like that. You can add multiple CA accounts as you have done but if you add multiple accounts against the same CA the app will just pick the first one.
Under Certificate > Advanced> Certificate Authority you can specify a preferred CA for that particular managed certificate, but it’s not the account you are selecting it’s just the CA (the app will then select the first account that matches that CA), that’s because some ACME CAs (Let’s Encrypt in particular) have no real link between accounts and who “owns” them, they are almost entirely an internal arbitrary grouping of certificate orders and are not a “real” account in the sense of one you might use to login and do stuff with.
Do you have a requirement to match different managed certs to different CA accounts specifically (mapping to specific organizations) and can you say more about what that requirement is and why it exists.
Dear webprofusion
Thank you for your answer!
We are running a couple of webservers with diffent sites. Each server can have sites with different clients. So site1 users Digicert with a specific CA, KeyID and HMACKey. Site2 2 belongs to another client with also uses Digicert, but has to use a different KeyID and HMACKey to get the certificate. Because the two clients are not related i have to generate a set of ACME URL and their keys to get to the certificates. The same when i would request a Letsencrypt Cert for customer3 and lets say site 3 and Letsencrypt certificates for site 4 with customer 4. if i have only one account per CA all Certificates must be fetched with the same Account. In the old time LE was sending out reminders to the requesting e-mail. They stopped doing that, so it might be a minor problem. But in the case of Digicert there is no relation between those clients, and i can not access cliet 2 certificates with client 1s KeyID and HMAC.
I hope this explains my problem.
Kind Regards
Mike
Dear webprofusion
After trial and error around some more, I might have found a solution.
I add (Copy the Digicert Settings and use an unique name) a Seperate unique name Certificate Authority for each client and under advanced i can add Key ID and HMAC. and this unique Certificate Authority i can map to a specific Certificate. This should work with Let’s Encrypt too.
What do you think?
Kind Regards
Mike
Hi Mike,
Clever solution! Yes if you setup each CA as a custom CA (even if they have similar/same settings), add an ACME account for that custom CA then specify that custom CA on the managed certificate the renewal will stick to that CA.
The only thing to remember is to uncheck the CA Fallback option (if currently checked) under Settings > Certificate Authorities otherwise if a CA had a temporary problem the app would fallback to trying a different account.
Hello webprofusion
I will try that 
thanks again for your support!
Kind Regards Mike