On 02/19/2017 05:39 AM, KT Walrus wrote:
That's one of the reasons I don't like Let's Encrypt, with one year certs it is easier to look at the certs and see what is going to expire in the coming month needing a new private key.
I use dehydrated (with Cloudflare DNS challenges) and as far as I know, it seems to generate a new private key every time.
Yeah that would be a problem for me because I implement DANE.
Every time I change the private key -
A) I have to make a TLSA record for the new key B) I have to let that key propagate in DNS while the old cert is active. I use 8 hour TTL for DNS records, so that takes 16 hours (twice the TTL) C) Then I can switch to the new key / cert in the server.
I use TLSA records for everything TLS, even dovecot - despite the fact I am not aware of any IMAP clients that will validate via DANE - because it is the right thing to do and sooner or later IMAP clients will support DNSSEC and DANE.
Having to do that every three months for every service I run, I really do not see what real world benefit I or my users would gain.