On a VPS (debian Jessie) where I would set up Postfix, Dovecot and Apache2,
in order to fully automate the certificate creation process, I would like to pass to certbot myself generated 4096 bit csr and private key,
Is it a practice recommended or overcomed by certbot, and/or this stops the automatism?
certbot doesn’t need the private key. And you can use the --csr option to feed it your CSR (which is signed with your private key, hence certbot/Boulder doesn’t need the latter).
There are some quirks with using --csr, such as it just puts the certificate and chain in the current folder certbot is running from (with names like cert_0000.pem): it doesn’t actually make a nice structure such as symlinks in /etc/letsencrypt/live/example.com/cert.pem pointing to the most current cert in /etc/letsencrypt/archive/example.com.
So while it’s certainly possible, automation will be more difficult.
Hi @danjde. Can you elaborate a little bit on what aspects of the certificate you are trying to customize for automation by creating the private key & CSR yourself?
Supporting automation is definitely one of the goals of the Certbot project Depending on what you are customizing it might be easier to let Certbot do the heavy lifting with some command-line guidance (e.g. --rsa-key-size 4096). This might help you avoid needing to create your own CSR and encountering some of the quirks that @Osiris mentioned.
I was planning to use the certificate for these reasons:
I would like to obtain a certbot/let's encrypt 4096 bit certificate (and we have seen that this is possible)
This certificate should contain most of the CSR information, specifically the “Common Name” (that must contain the fully-qualified host name) for Postfix and Dovecot use.
This certificate should contain the smtp, pop, imap address and I think this is possible passing the "-d" option.
I would like the generation of this certificate does not always produce new certitifcate names. I had previously used letsencrypt.sh and it always generated new certificate names but simultaneously created a link to the last certificate which kept its name unchanged.
And this seem a little problem as @Osiris says:
Among DANE TLSA SMTP servers there are at least ~800 distinct LE-issued certificates (my survey cannot achieve 100% coverage). These are MX hosts for at least ~2400 Email domains.
These ~800 certificates are of course a very small fraction of the overall LE certificate count, but do constitute a significant fraction of the ~2200 total DANE TLSA MX host certificates (which today serve around 59000 domains).
DANE deployment is as yet quite small, but growing.