Create a new certificate for user account main domain and domain alias?

Background:
I have a server running CPanel 74.0.8 with a number of accounts, hosting a variety of websites on different SSL certificates (paid, free and autossl).

Inside one account the website is secured using a Comodo Free SSL certificate. This was done because the old certificate was a Symantec certificate and browsers were about to stop trusting it (security issue), and I couldn't figure out how to create a new AutoSSL certificate - the user account doesn't have one installed, where as other user accounts already have one.

Question 1:
How do I create a new certificate for AutoSSL on an existing account? Unfortunately this isn't immediately obvious, I can see how to switch between existing certificates, generate a self-signed certificate and use an externally generated one but not how to generate a CPanel AutoSSL certificate from scratch.

Question 2:
Following on from Q1. Is it possible to apply an AutoSSL CPanel certificate to the main domain and an alias domain? The documentation seems to indicate this happens auto magically when the alias is created, which hasn't happened because there is no AutoSSL certificate, so would be possible to do this after the alias was created?

More Info:
I aware I can enable AutoSSL to replace invalid and expiring certificates. I suspect I could turn this on, delete my existing certificates (just for the one user account!), run Check AutoSSL and it might create a new AutoSSL certificate, but that seems like a scary approach and I'm a little hesitant to enable this as it will affect all user accounts on the server and I don't know what it considers an invalid certificate..

Thanks. Help and guidance is much appreciated.

 

Thanks for the excellent response. That helps - especially the clarification on invalid domains.

After a little investigation and thought I think the issues I have are:

1) The Domain Name Server for the domain is not the cPanel Server. The WHM DNS is disabled. I was confused because I didn't set-up the accounts\domains and assumed cPanel controlled them. However when trying to validate the domain with LetsEncrypt it became obvious they weren't the same records (doh!). I'm guessing cPanel keeps it's own "pseudo" domain zone records for creating things like the AutoSSL certificates.

2) The logs are showing warnings on some additional proxy sub-domains: cpanel, webmail, webdisk, cpcalendars, cpcontacts, and whm subdomains which haven't been applied to the active name servers. These take the form of "WARN Skipping duplicate domains (misconfigured?): ... sub-domain.here ... ". I suspect if I remove these from the cPanel DNS, or add them to the active Name Servers, these warnings will disappear.

3) The logs are showing warnings on some genuine historic sub-domains (websites) which are no longer accessible. These look like "ERROR Local DNS DCV error: historic.subdomainhere : The DNS query to “_cpanel-dcv-test-record for the DCV challenge returned no “TXT” record that matches the value ...". Obviously if the website isn't accessible on the internet (no name-server reference) and the DNS zone records can't be updated (because cPanel has no access) then the sub-domain is never going to validate! I guess this needs cleaning up too

So... I think if I clean out the proxy domains and unused sub-domains from cPanels DNS zone records, then AutoSSL will analyse the account and see the existing certificate as valid (which I can clarify in the logs), at which point I should be able to click Check "$user" under manage auto ssl and it'll create new cPanel (comodo) SSL certificate for the domain on that account.