Hello, while I love let’s encrypt philosophically I haven’t used it before for three reasons:
A) Normally I prefer ecdsa certs and it seems let’s encrypt doesn’t do that (yet)
B) I don’t like the idea of an automatic script that connects to external resources modifying a daemon configuration.
C) I don’t like 3 month certs, partly because I use DNSSEC and DANE and prefer to only update the DNS record associated with the 443 port when I do my yearly domain renewal and tls cert renewal.
However for a current project, I want to try Let’s Encrypt.
I’ll use 2048 (or 3072 if allowed) RSA for A - I use 3072 self-signed for mail servers.
For B - it looks like certbot has a certonly option that lets me run it manually and manually make the changes as needed.
For C though - the way DANE works, you preload the new fingerprint in DNS about a day or so before putting the key/cert into service (three times the tlsa TTL but a day is way more than that)
I can do that with Let’s Encrypt if I can generate the private key myself once a year, create the DANE fingerprint from the private key, and then tell certbot to fetch a signed cert for that generated private key.
Is that possible? I can script creation of my own CSR if needed. But I need to know that certbot doesn’t mind me specifying the private key I want it to fetch a signed cert for.
That would let me keep the same private key when generating new cert every 3 months so I only have to rotate the DANE fingerprint once a year, which is my preference.
Is there an option to certbot to specify the private key to used? (and does 3072 RSA work? okay of it doesn’t)