Problem with Let's Encrypt Certificate
Michael A. Peters
mpeters at domblogger.net
Sun Feb 19 07:00:17 UTC 2017
On 02/18/2017 10:24 PM, Robert L Mathews wrote:
> On 2/17/17 1:38 PM, chaouche yacine wrote:
>
>> Seems wrong to me too, Robert. If you put your private key inside
>> your certificate, won't it be sent to the client along with it ?
>
> No; any SSL software that uses the file will extract the parts it needs
> from it and convert them to its internal format for future use. It never
> literally sends the file contents anywhere.
>
> It's common and often recommended for a PEM file to contain everything
> needed; see, for example, the bottom section of:
>
> https://www.digicert.com/ssl-support/pem-ssl-creation.htm
>
> Doing this avoids the key and certificate files getting out of sync later.
>
I don't use Let's Encrypt but to avoid them getting out of sync, I
simply put a time stamp in the filename, e.g.
/etc/pki/tls/private/deviant.email-20160427.key
/etc/pki/tls/certs/deviant.email-20160427.crt
I never re-use a private key, when a cert expires I always generate a
new private key with a new CSR.
That's one of the reasons I don't like Let's Encrypt, with one year
certs it is easier to look at the certs and see what is going to expire
in the coming month needing a new private key.
Let's Encrypt does 3 month certs and re-uses the private key when it
generates a new cert.
I'm sure it probably could be scripted to use a new private key every
time but then I have to have to update the TLSA record frequently (and
you have to have the new fingerprint TLSA record in DNS before you start
using it) and that would be a hassle.
I'm sure it probably could also be scripted to use a new private key
every fourth time, too.
But for me its just easier to have certs that last a year and I can
easily visually see what is going to need my action.
More information about the dovecot
mailing list