On 02/18/2017 10:24 PM, Robert L Mathews wrote:
On 2/17/17 1:38 PM, chaouche yacine wrote:
Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ?
No; any SSL software that uses the file will extract the parts it needs from it and convert them to its internal format for future use. It never literally sends the file contents anywhere.
It's common and often recommended for a PEM file to contain everything needed; see, for example, the bottom section of:
https://www.digicert.com/ssl-support/pem-ssl-creation.htm
Doing this avoids the key and certificate files getting out of sync later.
I don't use Let's Encrypt but to avoid them getting out of sync, I simply put a time stamp in the filename, e.g.
/etc/pki/tls/private/deviant.email-20160427.key /etc/pki/tls/certs/deviant.email-20160427.crt
I never re-use a private key, when a cert expires I always generate a new private key with a new CSR.
That's one of the reasons I don't like Let's Encrypt, with one year certs it is easier to look at the certs and see what is going to expire in the coming month needing a new private key.
Let's Encrypt does 3 month certs and re-uses the private key when it generates a new cert.
I'm sure it probably could be scripted to use a new private key every time but then I have to have to update the TLSA record frequently (and you have to have the new fingerprint TLSA record in DNS before you start using it) and that would be a hassle.
I'm sure it probably could also be scripted to use a new private key every fourth time, too.
But for me its just easier to have certs that last a year and I can easily visually see what is going to need my action.