20 Nov
2015
20 Nov
'15
6:21 p.m.
On 11/19/2015 7:58 PM, Viktor Dukhovni wrote:
If you've published DANE TLSA records for your current certificate chain, and are considering switch to Let's Encrypt issued certificates, please do not forget:
https://dane.sys4.de/common_mistakes#3 https://tools.ietf.org/html/rfc7671#section-8.1I've seen more than one of the early adopters of LE certificates neglect to update their TLSA records (a few TTLs) *before* deploying the new LE certificate chain.
Something else to keep in mind with the Let's Encrypt certificates is that they have a 90-day lifetime with the automatic renewal process starting at sixty days.
Using a Let's Encrypt certificate with DANE TLSA will require an alert sysadmin.
https://community.letsencrypt.org/t/maximum-and-minimum-certificate-lifetime...