Hi!
I have a Debian Linux homeserver running behind my DSL router 24/7, accessible via DynDNS. Let's-Encrypt certs are maintained via acme.sh without any problems. But the setup details are not the reason why I write this;:
Now - I have an RSA 2048 key at the moment, Since recent recommendations advise to use at least RSA 3072 - how do I replace the existing keys with a bigger one? Just issuing a new cert via acme.sh and putting that into the usual place in the filesystem, reloading the services? Or do I have to take extra precautions, since HSTS and CAA are all in place? SSLlabs test gives my setup an A+rating, so I think it's pretty well set pat the moment.
Services affected are nginx, postfix, dovecot and some more.
Hi!
Yes, I'm aware that this is not about acme.sh - my question is not about usage of the acme client of choice, but about what precautions and considerations I have to take to make sure I don't lock me out o my domain (HSTS, CAA, ...) oder run into other trouble in the course of changing the keylength.
Neither HSTS nor CAA pins to a particular key, type of key, or size of key--the only technology that would (and that's pretty well deprecated at this point) is HPKP. You're free to issue a new cert with the desired key type/size and, as long as you aren't using HPKP, you should be good to go.
