On 29 Dec 2016, at 22:56, Viktor Dukhovni <[email protected]> wrote:
> If you: > > * Configure LE cert renewal to NOT replace your key, just issue a new > certificate for the *same* key as before: > > > https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766 > > * Publish a "3 1 1" TLSA record for the stable public key. > > Then LE certificate renewal require no DNS changes, and can proceed in > an automated manner via their tools. Thank you for your clarification that *no DNS changes are required*, .. > From time to time, you might decide that your key has been lying around on > your server too long, and may now be compromised. Then you create a new > key-pair and do LE renewal with that key instead. You then can either > go with the process outlined in: > > http://tools.ietf.org/html/rfc7671#section-8.1 .. *unless* I manually go for a new key. Perfect. That is a procedure I can live with, and I will follow that approach, then. I'd like to thank you both for your help in understanding what will be the upcoming steps when implementing LE certificates. With kind regards and a Happy New Year, Michael
