Do I have to get new identifiers for every cert?

[Ross Presser]

In my web hosting, my customers can specify sites that need https certificates at any time. Currently when I detect that a cert needs to be replaced because new domains are needed, I am generating new identifiers for every domain that will be in the new cert, including ones that were in the last cert. For my most active base domain this might happen every day or even as much as 3 times a day. And so it finally bit me, I got rate limited for creating too many identifiers in a week for a single base domain..

If I find that there is an identifier already for a domain, and it has status "valid", can I reuse it in the new certificate request? 

Also is there an Expires field on an identifer?

[Ross Presser]

OK, after reading again in the wiki and in issue 165 I understand that validated identifiers are supposed to be good for 60 days and that if I verify it is not expired using Update-ACMEIdentifier, I should be able to use it for the revised certificate.

[Eugene Bekker]

That's correct.  Let's Encrypt shortened the window to 60 days (30 less than the life of the certificates they issue) because they essentially want users to re-validate their ownership of domain identifiers (complete challenges) each time they renew/regenerate a cert.  So now there really is no difference between the process for issuing a new cert vs. renewing an existing cert for a given domain.