> That's one of the reasons I don't like Let's Encrypt, with one year certs it > is easier to look at the certs and see what is going to expire in the coming > month needing a new private key.
I use dehydrated (with Cloudflare DNS challenges) and as far as I know, it seems to generate a new private key every time. All newly generated certs are generated with the timestamp in the filenames and the soft links updated to point to the latest timestamped files. I have 4 domains each with an average of 70 alt names, so Let’s Encrypt is saving me money. I simply run the dehydrated script every week in a cron job to regenerate the certs (if there is less than 30 days until the current cert is set to expire) and rotate in any new certs. Of course, I run my sites using Docker and it is very easy to automate renewing certs. Note that I had the dehydrated script fail occasionally (mostly with 500 Server Busy errors for the Let’s Encrypt ACME server that sometimes cause me to have to wait a week before the script will succeed). Automating cert renewal and cert rotation into production using Let’s Encrypt and Docker is a huge win for me, and has taken the pain out of manually doing this once a year for each domain (and paying high fees for the privilege). And using the DNS-01 challenge type means that I can easily generate certs for my mail domain (that doesn’t have a web server). In fact, using Cloudflare DNS is free so even DNS for my mail domain doesn’t cost anything. Kevin > On Feb 19, 2017, at 2:00 AM, Michael A. Peters <mpet...@domblogger.net> wrote: > > On 02/18/2017 10:24 PM, Robert L Mathews wrote: >> On 2/17/17 1:38 PM, chaouche yacine wrote: >> >>> Seems wrong to me too, Robert. If you put your private key inside >>> your certificate, won't it be sent to the client along with it ? >> >> No; any SSL software that uses the file will extract the parts it needs >> from it and convert them to its internal format for future use. It never >> literally sends the file contents anywhere. >> >> It's common and often recommended for a PEM file to contain everything >> needed; see, for example, the bottom section of: >> >> https://www.digicert.com/ssl-support/pem-ssl-creation.htm >> >> Doing this avoids the key and certificate files getting out of sync later. >> > > I don't use Let's Encrypt but to avoid them getting out of sync, I simply put > a time stamp in the filename, e.g. > > /etc/pki/tls/private/deviant.email-20160427.key > /etc/pki/tls/certs/deviant.email-20160427.crt > > I never re-use a private key, when a cert expires I always generate a new > private key with a new CSR. > > That's one of the reasons I don't like Let's Encrypt, with one year certs it > is easier to look at the certs and see what is going to expire in the coming > month needing a new private key. > > Let's Encrypt does 3 month certs and re-uses the private key when it > generates a new cert. > > I'm sure it probably could be scripted to use a new private key every time > but then I have to have to update the TLSA record frequently (and you have to > have the new fingerprint TLSA record in DNS before you start using it) and > that would be a hassle. > > I'm sure it probably could also be scripted to use a new private key every > fourth time, too. > > But for me its just easier to have certs that last a year and I can easily > visually see what is going to need my action.
