Problem with Let's Encrypt Certificate
KT Walrus
kevin at my.walr.us
Thu Feb 23 20:43:55 UTC 2017
> On Feb 20, 2017, at 4:01 PM, Joseph Tam <jtam.home at gmail.com> wrote:
>
> yacinechaouche at yahoo.com writes:
>
>> Interesting. Is there any particular benefit in having only one file
>> for both certificate and private key ? I find that putting private key
>> in a separate file feels more secure.
>
> It's convenient to have key and cert in one place if you don't need
> the certificate to be publically readable. Keeping it in separate
> files would add slightly more security (defense in depth), that would
> protect from, for example, an admin fumble or bug in the SSL library.
>
> "Michael A. Peters" <mpeters at domblogger.net> writes:
>
>>> I use dehydrated (with Cloudflare DNS challenges) and as far as I know,
>>> it seems to generate a new private key every time.
>>
>> Yeah that would be a problem for me because I implement DANE.
>
> It's on my to-do list, but I think you can use dehydrated in signing
> mode.
>
> --signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage)
>
> In this way, you can reuse private key, as well as making it more
> secure by removing a privileged operations (private key acces) allowing
> dehydrated to be run as a non-privilged/separate user.
You might want to check out this blog:
http://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ <http://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/>
The author outlines a procedure for using DANE and Let’s Encrypt automatically generated certs in production.
I don’t really know much about DANE, but those wanting to implement it with free certs might want to check out this blog.
Kevin
More information about the dovecot
mailing list