diff --git a/cm.sh b/cm.sh
index 0acc5de60b7d9484df0694944fc8377c6ce42b0c..4f841d77611096c50dac1a7f52923f7200fda3d2 100755
--- a/cm.sh
+++ b/cm.sh
@@ -22,6 +22,7 @@
 # 2021-04-12  <axel.hahn@iml.unibe.ch>  optional: force excecution with a given user only
 # 2021-06-24  <axel.hahn@iml.unibe.ch>  added transfer command; delete files if acme.sh --install-cert ... failes
 # 2021-07-14  <axel.hahn@iml.unibe.ch>  added _wait_for_free_slot in cert actions to execute multiple processes sequentially
+# 2021-09-27  <axel.hahn@iml.unibe.ch>  softer behaviour: do not revoke changed certs (add does not stop; ensure does not delete)
 # ======================================================================
 
 
@@ -82,8 +83,10 @@ function _certMustExist(){
 function _certMustNotExist(){
 	_certExists
 	if [ $? -eq 0 ]; then
-		echo "ERROR: cert ${CM_fqdn} was added already."
-		exit 1
+		echo "WARNING: cert ${CM_fqdn} was added already."
+		# exit 1
+		echo "Press Ctrl+C to abort within the next 10 sec..."
+		sleep 10
 	fi
 }
 
@@ -327,7 +330,7 @@ function _testFqdncount(){
 function public_add(){
 	_wait_for_free_slot
 	_requiresFqdn
-	_certMustNotExist
+    _certMustNotExist
 
 	for myhost in $( echo $CM_fqdn $*)
 	do 
@@ -378,8 +381,9 @@ function public_ensure(){
 			_wd "--- DNS aliases match ... renew it (ignore --force - it comes from acme.sh)"
 			public_renew $*
 		else
-			_wd "--- DNS aliases do NOT match ... deleting cert and create a new one"
-			public_delete $*
+			# _wd "--- DNS aliases do NOT match ... deleting cert and create a new one"
+			# public_delete $*
+			_wd "--- DNS aliases do NOT match ... creating a new one"
 			public_add $*
 		fi
 	else