It's easy to use certbot for this:
certbot certonly --standalone --key-type rsa --rsa-key-size 3072 --reuse-key -d domain.com
This will reuse the same key each time and when you want to rotate the key you can request a second certificate with --cert-name to rotate.
Conversation
The same private key? Well, the whole point for a shortened certificate life time to me was to renew also the private key.
2
Email server security depends on pinning the private key via a TLSA record. That means the regular certificate renewal process needs to reuse the same private key. Please read the next tweet in the thread. You're responding to this tweet out of context.
Quote Tweet
Replying to @DanielMicay @VDukhovni and 2 others
You add a TLSA record for the new certificate, then once enough time has passed switch over to it and tell certbot to delete the old certificate.
MUAs usually expect a CA issued certificate for the submission ports and don't understand TLSA records so it's useful beyond MTA-STS.
1
If you want to automate key rotation, you can do that. If you want to rotate the private key every week, that's entirely possible. You need to obtain a new certificate with the new private key, add a new TLSA record, wait and then rotate over to using the new certificate.
1
Email servers can't validate each other's certificates based on certificate authorities unless they opt into that via MTA-STS which is a Trust-On-First-Use system like HSTS without support for preloading. It also still depends on DNS security, as do certificates from CAs.
2
Don't need to rotate the key based on the Let's Encrypt schedule where you renew every 60 days and certificates expire after 90 days. Once you remove the previous TLSA record after rotation, prior certificates won't pass DANE verification. You could do it way more frequently.
1
If you automate handling key rotation, which requires rotating the pins, then you can determine the rate that it happens. The Let's Encrypt rate limit is quite high although you would want to leave yourself leeway rather than using all of it as part of regular usage.
1
If you don't use --reuse-key, then it's going to immediately start using the new key immediately and your TLSA pin will be broken. DNS records are cached based on their TTL and there will be a window of breakage based on TTL even if you add a certbot hook to update the record.
1
1
Does certbot or friends have a hook for e.g. nsupdate?
2
certbot supports arbitrary hooks which I personally use for github.com/tomwassenberg/ to have reliable OCSP Must-Staple with nginx.
Could make a little script to generate a TLSA record and set it for the DNS server. I haven't implemented automation for key rotation myself.
1
1
At the moment, to do a key rotation, I set the TTL for the TLSA records to 1 minute, wait, disable reuse_key, renew, add a new TLSA record, wait, then reload the server configuration. Our mail server is low traffic with a couple internal users and attestation.app/about alerts.
I don't have it automated because it's tricky to fit it into the way that certbot works right now. It would be nice if someone got a robust approach implemented that I could reuse, similar to that scripting for using OCSP Must-Staple with certbot and nginx. I don't have time.
2
It doesn't fit into the way that hooks work right now. You need to use --cert-name to get a 2nd certificate to avoid certbot replacing the existing one. So, you would need to make scripting around certbot rather than within the existing framework it has for calling hooks.