On Mon, May 22, 2023 at 09:53:36PM -0400, Viktor Dukhovni via Postfix-users wrote:
> Key reuse as a *default* rollover approach is robust. When it is time > to change keys, one can do so deliberately, and with due care to > prepublish TLSA records matching the *next* key, then after a few TTLs > deploy the next certificate, and at that point drop the outdated TLSA RR > matching the old keys. Meanwhile, root CAs reuse the same RSA 2048-bit > key for decades. To that end, though it is not yet feature-complete, I am announcing a "beta" release of "danebot", which is a wrapper around "certbot" that supports safe key rollover (with by default stable reused keys) in combination with "3 1 1" TLSA records. At this point, I am particularly looking for adoption from experienced shell script developers, who might add missing features or having examined the code might help to improve the documentation. That said, "danebot" can be used as-is (I've been using it for over a year) by anyone who is not a novice with "certbot". https://github.com/tlsaware/danebot The same design principles can surely (and perhaps even more easily) be adapted to other ACME clients. Contributions along those lines also welcome (likely as variants of the "certbot" script). -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org