diff --git a/cm.sh b/cm.sh
index ac10269175cd28f95e849c91a00a47b757d5a620..bb372fbfb69034479270a4885c467cc6842ef7cf 100755
--- a/cm.sh
+++ b/cm.sh
@@ -29,6 +29,7 @@
 # 2022-03-31  <axel.hahn@iml.unibe.ch>  dns authentication with alias domain
 # 2022-04-04  <axel.hahn@iml.unibe.ch>  Bugfix: copy key from csr folder to ~/.acme/
 # 2022-04-04  <axel.hahn@iml.unibe.ch>  added param "list-old"
+# 2022-04-07  <axel.hahn@iml.unibe.ch>  fix missing key in public_ensure before calling public_add too.
 # ======================================================================
 
 
@@ -57,6 +58,21 @@ writelog=1
 #
 # ----------------------------------------------------------------------
 
+# BUGFIX: acme.sh does not create a new key file on renew.
+# After switching from csr method to param -d we got a 0 byte Keyfile
+function _fixKeyfile(){
+	local _acme_keyfile=~/.acme.sh/${CM_fqdn}/${CM_fqdn}.key
+	if test ! -f "$_acme_keyfile"
+	then
+		echo "FIX: copy key from csr folder $CM_filekey to $_acme_keyfile"
+		if ! cp "$CM_filekey" "$_acme_keyfile"
+		then
+			exit 1
+		fi
+	fi
+
+}
+
 # internal function; list certificates incl. creation date and renew date
 function _listCerts(){
 	$ACME --list	
@@ -475,6 +491,7 @@ function public_ensure(){
 			# _wd "--- DNS aliases do NOT match ... deleting cert and create a new one"
 			# public_delete $*
 			_wd "--- DNS aliases do NOT match ... creating a new one"
+			_fixKeyfile
 			public_add $*
 		fi
 	else
@@ -550,6 +567,7 @@ function public_list-old(){
 	exit $_rc
 }
 
+
 #
 # public function - renew a certificate
 # param  string  fqdn of domain to renew
@@ -558,18 +576,7 @@ function public_renew(){
 	_requiresFqdn
 	_certMustExist
 
-	# BUGFIX: acme.sh does not create a new key file on renew.
-	# After switching from csr method to pram -d we got a 0 byte Keyfile
-	local _acme_keyfile=~/.acme.sh/${CM_fqdn}/${CM_fqdn}.key
-	if test ! -f "$_acme_keyfile"
-	then
-		echo "FIX: copy key from csr folder $CM_filekey to $_acme_keyfile"
-		if ! cp "$CM_filekey" "$_acme_keyfile"
-		then
-			exit 1
-		fi
-	fi
-	# /BUGFIX
+	_fixKeyfile
 
 	$ACME --renew -d ${CM_fqdn} $ACME_Params
 	local _rc=$?