Certbot renewals and DANE

I’m using a different approach. I recommend generating multiple key pairs for each certificate. Only the “live” one is exposed. The rest are kept in a safe place to deal with future key compromise.

You can generate DANE DNS RRs covering all the certificates — live and reserve — so that revoking a compromised certificate and activating a reserve one is a seamless operation.

This is covered in my blog posts:

Also, as others have said, reusing the private key is the best approach. You can then anchor your DANE records to the key — which lasts longer than 90 days. I also have an opinion on DANE vs HTTPS-only mechanisms. TL;DR, stick to DANE.

I’m managing a collection of hundreds of certificates using the techniques described above, with no issues.

Best regards


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.