[atlas] SSL Certificates for ripe anchors
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bjørn Mork
bjorn at mork.no
Tue Sep 3 14:50:28 CEST 2019
Carsten Schiefner <carsten at schiefner.de> writes: >> Am 03.09.2019 um 13:35 schrieb Bjørn Mork <bjorn at mork.no>: >>> The tricky bit, however, comes if you want to use this very certificate >>> in a TLSA RR as well: all of a sudden the RR points to a non-existing >>> certificate when Letsencrypt's cron job has flipped the certificate. >>> >>> [...] >> >> You can renew Let's Encrypt certificates without changing the key. And >> if you use the recommended 3 1 1 TLSA records, then you don't have to >> change it unless the key is changed. > > ah! :-) > > Would you have a specific pointer in mind you’d recommend and so like to share? I believe this covers it: https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 And RFC 7671 is also a nice reference, especially if you want to roll keys. Bjørn
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]