> On Feb 20, 2017, at 4:01 PM, Joseph Tam <jtam.h...@gmail.com> wrote: > > yacinechaou...@yahoo.com writes: > >> Interesting. Is there any particular benefit in having only one file >> for both certificate and private key ? I find that putting private key >> in a separate file feels more secure. > > It's convenient to have key and cert in one place if you don't need > the certificate to be publically readable. Keeping it in separate > files would add slightly more security (defense in depth), that would > protect from, for example, an admin fumble or bug in the SSL library. > > "Michael A. Peters" <mpet...@domblogger.net> writes: > >>> I use dehydrated (with Cloudflare DNS challenges) and as far as I know, >>> it seems to generate a new private key every time. >> >> Yeah that would be a problem for me because I implement DANE. > > It's on my to-do list, but I think you can use dehydrated in signing > mode. > > --signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout > (advanced usage) > > In this way, you can reuse private key, as well as making it more > secure by removing a privileged operations (private key acces) allowing > dehydrated to be run as a non-privilged/separate user.
You might want to check out this blog: http://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ <http://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/> The author outlines a procedure for using DANE and Let’s Encrypt automatically generated certs in production. I don’t really know much about DANE, but those wanting to implement it with free certs might want to check out this blog. Kevin
