This has been discussed here years ago, but for some reason I can't reply to that thread. (Either the thread is too old or my membership is too young. )
Has there been any progress on using pre-generated key pairs to obtain signatures with the default
A typical use case would be a DANE rollover scheme. (Yes, I get it, some say that DANE should be used for self-signed certificates only, but I see no reason not to publish keys signed by Let's Encrypt in DANE.)
- Generate your next key pair.
- Publish your public key in DANE at least one DNS expiry interval ahead.
- Obtain a signature from Let's Encrypt for the already published public key.
- Switch your service to the new key pair.
- Remove the old public key from DNS.
- Do nothing for ~2 months.
- Go back to 0.
The absence of a (obvious) rollover scheme is pointed out (also) by the
internet.nl DNS and mail server checker (with further details about the whole concept):