Re: Wildcard certificate and DANE/TLSA records
2 Jan
2019
2 Jan
'19
10:03 p.m.
On Jan 2, 2019, at 1:32 PM, zorion zorion@autistici.org wrote:
What are the implications of not having the private key in this file? I currently do not have it there, and I see no problems (postfix 3.1.8), but its possible I'm not seeing something.
When the key and certs are in separate files you lose the ability to atomically replace both, and introduce brief races when a Postfix process is loading the key and certs while key rotation is happening.
In Postfix 3.4, when the cert and key are in the same file, the race is eliminated. The condition is temporary, and infrequent, but best avoided entirely.
As for the key first, that's a longer story, but you won't go wrong doing it that way.
--
Viktor.
2102
Age (days ago)
2102
Last active (days ago)
0 comments
1 participants
participants (1)
-
Viktor Dukhovni