It's easy to use certbot for this:
certbot certonly --standalone --key-type rsa --rsa-key-size 3072 --reuse-key -d domain.com
This will reuse the same key each time and when you want to rotate the key you can request a second certificate with --cert-name to rotate.
Conversation
The same private key? Well, the whole point for a shortened certificate life time to me was to renew also the private key.
2
Email server security depends on pinning the private key via a TLSA record. That means the regular certificate renewal process needs to reuse the same private key. Please read the next tweet in the thread. You're responding to this tweet out of context.
Quote Tweet
Replying to @DanielMicay @VDukhovni and 2 others
You add a TLSA record for the new certificate, then once enough time has passed switch over to it and tell certbot to delete the old certificate.
MUAs usually expect a CA issued certificate for the submission ports and don't understand TLSA records so it's useful beyond MTA-STS.
1
If you want to automate key rotation, you can do that. If you want to rotate the private key every week, that's entirely possible. You need to obtain a new certificate with the new private key, add a new TLSA record, wait and then rotate over to using the new certificate.
1
Email servers can't validate each other's certificates based on certificate authorities unless they opt into that via MTA-STS which is a Trust-On-First-Use system like HSTS without support for preloading. It also still depends on DNS security, as do certificates from CAs.
2
Don't need to rotate the key based on the Let's Encrypt schedule where you renew every 60 days and certificates expire after 90 days. Once you remove the previous TLSA record after rotation, prior certificates won't pass DANE verification. You could do it way more frequently.
1
If you automate handling key rotation, which requires rotating the pins, then you can determine the rate that it happens. The Let's Encrypt rate limit is quite high although you would want to leave yourself leeway rather than using all of it as part of regular usage.
1
If you don't use --reuse-key, then it's going to immediately start using the new key immediately and your TLSA pin will be broken. DNS records are cached based on their TTL and there will be a window of breakage based on TTL even if you add a certbot hook to update the record.
1
1
Does certbot or friends have a hook for e.g. nsupdate?
2
AVOID certbot hooks. They're *unreliable*, certbot will keep going whether the hooks succeed or fail.
Instead of running custom code via certbot hooks, wrap certbot in a script that performs appropriate pre and post actions *reliably*.
1
Yeah, ideally, someone would implement a script for doing rotations robustly via --cert-name so that certbot doesn't replace the live certificate. The OCSP stapling hook only works because nginx doesn't start using the new certificate until it's told to reload the configuration.
In theory, the OCSP server could be unavailable right after getting a new certificate, and then you'd have downtime for clients enforcing Must-Staple. It's not something I have to worry about though. We don't have anything close to a high availability setup with failover, etc.
1
Postfix does not support (ignores) OCSP, so not a risk there. Exim may optionally support it, but OCSP is silly with DANE, just change your TLSA RRs if the previous key is compromised.
1
Show replies