I don’t see the
--csr option in the documentation for the new
certbot client. Is this still supported?
For sites obtaining certificates for SMTP servers with DANE TLSA records it is important to be able to renew without changing the public/private keypair, just obtain a new certificate for the same keys when doing automated rollover.
Periodic changes of the keys are best performed under human supervision, so that appropriate DNS changes can be made at approximately the same time and verified.
It would be great if this were documented. With the existing client an overview of the process is at:
The rationale is explained at: