Best practice TLSA RRs for CA-issued certs
Michael Grimm
trashcan at ellael.org
Fri Dec 30 11:53:21 CET 2016
On 29 Dec 2016, at 22:56, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> If you:
>
> * Configure LE cert renewal to NOT replace your key, just issue a new
> certificate for the *same* key as before:
>
> https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
>
> * Publish a "3 1 1" TLSA record for the stable public key.
>
> Then LE certificate renewal require no DNS changes, and can proceed in
> an automated manner via their tools.
Thank you for your clarification that *no DNS changes are required*, ..
> From time to time, you might decide that your key has been lying around on
> your server too long, and may now be compromised. Then you create a new
> key-pair and do LE renewal with that key instead. You then can either
> go with the process outlined in:
>
> http://tools.ietf.org/html/rfc7671#section-8.1
.. *unless* I manually go for a new key. Perfect. That is a procedure I can live with, and I will follow that approach, then.
I'd like to thank you both for your help in understanding what will be the upcoming steps when implementing LE certificates.
With kind regards and a Happy New Year,
Michael
More information about the dane-users
mailing list