[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today

Aaron Zauner azet at azet.org
Fri Mar 17 09:32:40 CET 2017

* Gunnar Haslinger <gh.bettercrypto at hitco.at> [16/03/2017 21:20:14] wrote:
> Regarding using Let's Encrypt with TLSA/DANE and HPKP:
> I wrote a short Blog-entry about using Let's encrypt with CSRs - keeping
> the RSA-Keypair when renewing the certificate.
> maybe somebody finds this helpful (in German):
> https://hitco.at/blog/lets-encrypt-csr/
> As keeping the RSA-Keypair when renewing Certificates is not
> best-practice security, probably this is *not* a chapter you would like
> me to add to the BetterCrypto-Guide?

Maybe I misunderstand, but why would you want to do that? You can do
a key-rollover just fine with HPKP headers and TLSA records.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20170317/43222fea/attachment.sig>

More information about the Ach mailing list