Certbot renewals and DANE

I’m using a different approach. I recommend generating multiple key pairs for each certificate. Only the “live” one is exposed. The rest are kept in a safe place to deal with future key compromise.

You can generate DANE DNS RRs covering all the certificates — live and reserve — so that revoking a compromised certificate and activating a reserve one is a seamless operation.

This is covered in my blog posts:

Also, as others have said, reusing the private key is the best approach. You can then anchor your DANE records to the key — which lasts longer than 90 days. I also have an opinion on DANE vs HTTPS-only mechanisms. TL;DR, stick to DANE.

I’m managing a collection of hundreds of certificates using the techniques described above, with no issues.

Best regards

-lem