Problem with Let's Encrypt Certificate

Michael A. Peters mpeters at domblogger.net
Sun Feb 19 07:00:17 UTC 2017


On 02/18/2017 10:24 PM, Robert L Mathews wrote:
> On 2/17/17 1:38 PM, chaouche yacine wrote:
>
>> Seems wrong to me too, Robert. If you put your private key inside
>> your certificate, won't it be sent to the client along with it ?
>
> No; any SSL software that uses the file will extract the parts it needs
> from it and convert them to its internal format for future use. It never
> literally sends the file contents anywhere.
>
> It's common and often recommended for a PEM file to contain everything
> needed; see, for example, the bottom section of:
>
>  https://www.digicert.com/ssl-support/pem-ssl-creation.htm
>
> Doing this avoids the key and certificate files getting out of sync later.
>

I don't use Let's Encrypt but to avoid them getting out of sync, I 
simply put a time stamp in the filename, e.g.

/etc/pki/tls/private/deviant.email-20160427.key
/etc/pki/tls/certs/deviant.email-20160427.crt

I never re-use a private key, when a cert expires I always generate a 
new private key with a new CSR.

That's one of the reasons I don't like Let's Encrypt, with one year 
certs it is easier to look at the certs and see what is going to expire 
in the coming month needing a new private key.

Let's Encrypt does 3 month certs and re-uses the private key when it 
generates a new cert.

I'm sure it probably could be scripted to use a new private key every 
time but then I have to have to update the TLSA record frequently (and 
you have to have the new fingerprint TLSA record in DNS before you start 
using it) and that would be a hassle.

I'm sure it probably could also be scripted to use a new private key 
every fourth time, too.

But for me its just easier to have certs that last a year and I can 
easily visually see what is going to need my action.


More information about the dovecot mailing list