On Thu, 23 Feb 2017, KT Walrus wrote:
It's on my to-do list, but I think you can use dehydrated in signing mode.--signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage) In this way, you can reuse private key, as well as making it more secure by removing a privileged operations (private key acces) allowing dehydrated to be run as a non-privilged/separate user.You might want to check out this blog: http://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
This was exactly the type of procedure I wanted: persistent key that can be protected.
The author outlines a procedure for using DANE and Let?s Encrypt automatically generated certs in production. I don?t really know much about DANE, but those wanting to implement it with free certs might want to check out this blog.
I don't use DANE either, but it looks fraught with stale-cache peril. If DANE with rotating keys is your thing, I would lower the DANE record TTL to something small like 60s one TTL period before cert renewal, then set it back after cert renewal. Some DNS software will auto-decrement TTL to expire at a certin time, then transition to the new definition. Joseph Tam <jtam.h...@gmail.com>
