Problem with Let's Encrypt Certificate
Joseph Tam
jtam.home at gmail.com
Mon Feb 20 21:01:37 UTC 2017
yacinechaouche at yahoo.com writes:
> Interesting. Is there any particular benefit in having only one file
> for both certificate and private key ? I find that putting private key
> in a separate file feels more secure.
It's convenient to have key and cert in one place if you don't need
the certificate to be publically readable. Keeping it in separate
files would add slightly more security (defense in depth), that would
protect from, for example, an admin fumble or bug in the SSL library.
"Michael A. Peters" <mpeters at domblogger.net> writes:
>> I use dehydrated (with Cloudflare DNS challenges) and as far as I know,
>> it seems to generate a new private key every time.
>
> Yeah that would be a problem for me because I implement DANE.
It's on my to-do list, but I think you can use dehydrated in signing
mode.
--signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage)
In this way, you can reuse private key, as well as making it more
secure by removing a privileged operations (private key acces) allowing
dehydrated to be run as a non-privilged/separate user.
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list