On 02/18/2017 10:24 PM, Robert L Mathews wrote:
On 2/17/17 1:38 PM, chaouche yacine wrote:
Seems wrong to me too, Robert. If you put your private key inside
your certificate, won't it be sent to the client along with it ?
No; any SSL software that uses the file will extract the parts it needs
from it and convert them to its internal format for future use. It never
literally sends the file contents anywhere.
It's common and often recommended for a PEM file to contain everything
needed; see, for example, the bottom section of:
https://www.digicert.com/ssl-support/pem-ssl-creation.htm
Doing this avoids the key and certificate files getting out of sync later.
I don't use Let's Encrypt but to avoid them getting out of sync, I
simply put a time stamp in the filename, e.g.
/etc/pki/tls/private/deviant.email-20160427.key
/etc/pki/tls/certs/deviant.email-20160427.crt
I never re-use a private key, when a cert expires I always generate a
new private key with a new CSR.
That's one of the reasons I don't like Let's Encrypt, with one year
certs it is easier to look at the certs and see what is going to expire
in the coming month needing a new private key.
Let's Encrypt does 3 month certs and re-uses the private key when it
generates a new cert.
I'm sure it probably could be scripted to use a new private key every
time but then I have to have to update the TLSA record frequently (and
you have to have the new fingerprint TLSA record in DNS before you start
using it) and that would be a hassle.
I'm sure it probably could also be scripted to use a new private key
every fourth time, too.
But for me its just easier to have certs that last a year and I can
easily visually see what is going to need my action.
