I am using “dehydrated” to get certificates issued using DNS challenge to Cloudflare.
Everything is working fine and I have the certificates.
I get the certificates issued as standalone and manually install them for Synology NAS, VMware Harbor Docker Registry, vSphere etc…
My question is. When it comes to renewal, I am running a cron job which should renew the certificates. Am I right in understanding that, I do NOT need to re-install / copy the certificates and the ones that are already installed will just be renewed?
Or will the renewal generate “new” certs which then needs to be installed ?
Unfortunately, "renewal" is just a term for "getting a new certificate with exactly the same settings as the one before".
The expiration date of certificates is included in the signature of every certificate (as in, the data over which the signature is calculated includes the expiration date), therefore, a new expiration date can only be set when the certificate is signed again. And that means you'll get a brand new certificate.
And because you'll get a "brand new" certificate, you'll have to re-install it again.
Thank you for clarifying. This makes things a lot more complicated for me. It basically means every three months I need to renew the certs (which is straight forward) then install the new certificate on each of the systems. I guess I might be able to automate some of it using ansible / bash scripts.