On 29 Dec 2016, at 22:56, Viktor Dukhovni ietf-dane@dukhovni.org wrote:
If you:
- Configure LE cert renewal to NOT replace your key, just issue a new certificate for the *same* key as before:
https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
- Publish a "3 1 1" TLSA record for the stable public key.
Then LE certificate renewal require no DNS changes, and can proceed in an automated manner via their tools.
Thank you for your clarification that *no DNS changes are required*, ..
From time to time, you might decide that your key has been lying around on your server too long, and may now be compromised. Then you create a new key-pair and do LE renewal with that key instead. You then can either go with the process outlined in:
.. *unless* I manually go for a new key. Perfect. That is a procedure I can live with, and I will follow that approach, then.
I'd like to thank you both for your help in understanding what will be the upcoming steps when implementing LE certificates.
With kind regards and a Happy New Year, Michael