I’m using a different approach. I recommend generating multiple key pairs for each certificate. Only the “live” one is exposed. The rest are kept in a safe place to deal with future key compromise.
You can generate DANE DNS RRs covering all the certificates — live and reserve — so that revoking a compromised certificate and activating a reserve one is a seamless operation.
This is covered in my blog posts:
- Multiple Certs With Certbot — this one describes the scripting I use to generate and maintain the various keys / certs that will be reused over the life of the application
- Wildcard Certificates with Let’s Encrypt — this one covers using dynamic updates to complete the ACME challenge
Let’s Encrypt Proxy DNS Authentication — this covers the
certbotintegration with dynamic updates, using delegation so that the authorization updates can be made to a trusted, known zone. This allows third party certificate management.
Also, as others have said, reusing the private key is the best approach. You can then anchor your DANE records to the key — which lasts longer than 90 days. I also have an opinion on DANE vs HTTPS-only mechanisms. TL;DR, stick to DANE.
I’m managing a collection of hundreds of certificates using the techniques described above, with no issues.