managing mutiple certbot certificates? changing cert storage without breaking?

I have several domains, but not a very large number. I have an apache instance running on Ubuntu 20.04.6 LTS. I would like to clean up my certificates management, but I do not want to break all of my websites as I do this. The cert information is below. Which of these can be safely deleted?

Is the usual practice to have one certificate per domain? One can, of course, have a certificate for several domains on one server, but then one cannot move the site to another server. Or can one? By copying the certificate files to the new server? And multiple certificates means multiple things to manage. Hmmm.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: AAAAA.com-0001
    Serial Number: 4ff20...9b07e
    Key Type: ECDSA
    Domains: AAAAA.com BBBBB.com BBBBB.org opengovaccess.org CCCCC.com DDDDD.org
    Expiry Date: 2025-04-07 00:52:13+00:00 (VALID: 30 days)
    Certificate Path: /etc/letsencrypt/live/AAAAA.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/AAAAA.com-0001/privkey.pem
  Certificate Name: AAAAA.com
    Serial Number: 4842d...a19f0
    Key Type: ECDSA
    Domains: AAAAA.com
    Expiry Date: 2025-05-30 05:26:03+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/AAAAA.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/AAAAA.com/privkey.pem
  Certificate Name: BBBBB.com-0001
    Serial Number: 41ee1...f1124
    Key Type: ECDSA
    Domains: BBBBB.com
    Expiry Date: 2025-05-30 05:26:11+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/BBBBB.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/BBBBB.com-0001/privkey.pem
  Certificate Name: BBBBB.org-0001
    Serial Number: 3731f...92edd
    Key Type: RSA
    Domains: BBBBB.org
    Expiry Date: 2025-05-30 05:26:18+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/BBBBB.org-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/BBBBB.org-0001/privkey.pem
  Certificate Name: BBBBB.org
    Serial Number: 3731f...92edd
    Key Type: RSA
    Domains: BBBBB.org
    Expiry Date: 2025-05-30 05:26:18+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/BBBBB.org-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/BBBBB.org-0001/privkey.pem
  Certificate Name: opengovaccess.org
    Serial Number: 4d17f...41c7b
    Key Type: ECDSA
    Domains: opengovaccess.org
    Expiry Date: 2025-05-30 05:26:24+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/opengovaccess.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/opengovaccess.org/privkey.pem
  Certificate Name: CCCCC.com
    Serial Number: 38dae...56001
    Key Type: RSA
    Domains: CCCCC.com www.CCCCC.com
    Expiry Date: 2025-05-30 05:26:36+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/CCCCC.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/CCCCC.com/privkey.pem
  Certificate Name: DDDDD.org
    Serial Number: 39ffa...a7851
    Key Type: ECDSA
    Domains: DDDDD.org
    Expiry Date: 2025-05-30 05:26:46+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/DDDDD.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/DDDDD.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Certificate cleaning recommendation:

1. Identify redundant certificates

• AAAAA.com-0001 (Multi-domain certificate) which covers: AAAAA.com, BBBBB.com, BBBBB.org, opengovaccess.org, CCCCC.com, DDDDD.org. Potentially unnecessary because you have separate certificates for most of these domains.

• AAAAA.com (Single-domain certificate) - Covers only AAAAA.com. Keep if you prefer separate certificates instead of the multi-domain one.

• BBBBB.com-0001 - covers only BBBBB.com, keep it, unless AAAAA.com-0001 is used and covers this domain.

• BBBBB.org-0001 & BBBBB.org - these seem identical (same serial number). Delete the duplicate one

• opengovaccess.org - covers only opengovaccess.org, keep it unless AAAAA.com-0001 is preferred.

• CCCCC.com- covers CCCCC.com and www.CCCCC.com, keep these since AAAAA.com-0001 does not mention www.CCCCC.com.

• DDDDD.org - covers only DDDDD.org, keep, unless AAAAA.com-0001` is actively used.

2. What Can You Safely Delete?

Based on your certificates:

• If all your Virtual Hosts are using separate certificates, then AAAAA.com-0001 (multi-domain certificate) is not needed.

• Verify which VirtualHost entries use it:

# check Apache configs: 
ls -al /etc/apache2/sites-available/)

• If none rely on AAAAA.com-0001, delete it:

sudo certbot delete --cert-name AAAAA.com-0001

• One of the BBBBB.org certificates is a duplicate. If BBBBB.org-0001 and BBBBB.org are identical, delete the duplicate :

sudo certbot delete --cert-name BBBBB.org
# (or BBBBB.org-0001, depending on which is unused)

3. Best Practices for Certificate Management

• One certificate per domain?

  • Good for flexibility: You can move individual domains easily between servers.
  • More files to manage.

• Wildcard or Multi-domain certificate?

  • Good for fewer certs: Less renewal overhead.
  • Less flexible: If moving BBBBB.com to another server, you'd need to copy the full cert bundle.

• Transferring Certs to Another Server (personally I use this method in our production env, very handful you can simply run the script in cronjob)

  • You can copy fullchain.pem and privkey.pem to another server.
  • But Let’s Encrypt prefers reissuing instead of manual copying.