reusing the private key for too long (say a year or more) is considered a bad security practice. Imho it is easier to monitor changes of the issuing CA (I do) or just mark your calendar to update in September 2025 than to pin 3 1 1. Don´t want to be fundamental, just opinionated. Everyone has to decide on her/his own. Cheers, Joachim
-----Ursprüngliche Nachricht----- Von: raf via Postfix-users <[email protected]> Gesendet: Samstag, 20. Mai 2023 00:53 An: [email protected] Betreff: [pfx] Re: DANE and DNSSEC On Thu, May 18, 2023 at 08:54:16PM +0200, Joachim Lindenberg via Postfix-users <[email protected]> wrote: > For Letsencrypt certificates I´d definitely go with 2 1 1 > 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D and > optionally the R4 derivate and add their successors when these are about to > expire, rather than 3 1 1 and change every two months. > Best Regards, > Joachim The certificate might change every few months, but that doesn't mean that the key has to change at the same time. As Viktor pointed out, with certbot you can configure reuse_key = True which prevents the renewal from creating a new key. That way, the user can decide when they want the key to rollover. cheers, raf _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
