That's one of the reasons I don't like Let's Encrypt, with one year certs it is easier to look at the certs and see what is going to expire in the coming month needing a new private key.
I use dehydrated (with Cloudflare DNS challenges) and as far as I know, it seems to generate a new private key every time. All newly generated certs are generated with the timestamp in the filenames and the soft links updated to point to the latest timestamped files. I have 4 domains each with an average of 70 alt names, so Let’s Encrypt is saving me money. I simply run the dehydrated script every week in a cron job to regenerate the certs (if there is less than 30 days until the current cert is set to expire) and rotate in any new certs.
Of course, I run my sites using Docker and it is very easy to automate renewing certs. Note that I had the dehydrated script fail occasionally (mostly with 500 Server Busy errors for the Let’s Encrypt ACME server that sometimes cause me to have to wait a week before the script will succeed).
Automating cert renewal and cert rotation into production using Let’s Encrypt and Docker is a huge win for me, and has taken the pain out of manually doing this once a year for each domain (and paying high fees for the privilege). And using the DNS-01 challenge type means that I can easily generate certs for my mail domain (that doesn’t have a web server). In fact, using Cloudflare DNS is free so even DNS for my mail domain doesn’t cost anything.
Kevin
On Feb 19, 2017, at 2:00 AM, Michael A. Peters <mpeters@domblogger.net> wrote:
On 02/18/2017 10:24 PM, Robert L Mathews wrote:
On 2/17/17 1:38 PM, chaouche yacine wrote:
Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ?
No; any SSL software that uses the file will extract the parts it needs from it and convert them to its internal format for future use. It never literally sends the file contents anywhere.
It's common and often recommended for a PEM file to contain everything needed; see, for example, the bottom section of:
https://www.digicert.com/ssl-support/pem-ssl-creation.htm
Doing this avoids the key and certificate files getting out of sync later.
I don't use Let's Encrypt but to avoid them getting out of sync, I simply put a time stamp in the filename, e.g.
/etc/pki/tls/private/deviant.email-20160427.key /etc/pki/tls/certs/deviant.email-20160427.crt
I never re-use a private key, when a cert expires I always generate a new private key with a new CSR.
That's one of the reasons I don't like Let's Encrypt, with one year certs it is easier to look at the certs and see what is going to expire in the coming month needing a new private key.
Let's Encrypt does 3 month certs and re-uses the private key when it generates a new cert.
I'm sure it probably could be scripted to use a new private key every time but then I have to have to update the TLSA record frequently (and you have to have the new fingerprint TLSA record in DNS before you start using it) and that would be a hassle.
I'm sure it probably could also be scripted to use a new private key every fourth time, too.
But for me its just easier to have certs that last a year and I can easily visually see what is going to need my action.