[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today
gh.bettercrypto at hitco.at
Fri Mar 17 11:30:18 CET 2017
Am 2017-03-17 10:24, schrieb Hanno Böck:
> HPKP is a nice feature, but it absolutely requires a solid
> understanding and a good plan to avoid its pitfalls. If you're not
> capable of having a good keyrolover plan then you shouldn't deploy
I already agreed to this before.
But you still require to use the CertBot with a CSR and not in the
"straight-forward new-key" way, because you have to use pre-generated
and pre-deployed Keys.
Let's try an example:
HPKP Max-Age: for example 60 days
Let's Encrypt Certs are valid for 90 days, but let's say we like to
renew every ~70 to have some spare time.
=> that means, you have to pre-deploy at least 2 unused backup Keys in
1. Generate an LE-Cert with a fresh PrivateKey and use it for your
2. Generate at least 2 additional fresh RSA-Keypairs for later and store
them on a save (offline) place
3. Deyploy a Pinning for these 3 Keys in your HPKP-Header
after ~70 Days you have to renew your LE-Cert:
-> Using the certbot in a straight-forward way is not suitable!
-> You have to use one of your 2 pre-deployed Backup keys, not a fresh
=> So, you have to use CSR mode with one of the 2 prepared Backup-Keys,
do it with a CSR as I described in my blog
1. Generate at least 1 additional fresh RSA-Keypair for later and store
it again on a save (offline) place
2. Add this new generated, unused Key to HPKP-Header
3. Change Webserver-Certificate to the new one you got by using LE in
CSR-Mode with the Backup-Key
4. Remove the now unused old Key from HPKP-Header
For the next Renewal, same procedure, but be aware:
The prepared Keypair used for your next Key-Change has to be Pre-Deployd
in your HPKP-Header for at Least Max-Age days (60).
If you don't like to use the CSR-Mode and like to use the LE-CertBot in
You cannot use HPKP Max-Age 60 Days, because you would have to wait for
60 days after adding the new key before actually using the cert. So only
little remaining time left until it has to be renewed again. You maybe
can do this, if you keep the Max-Age Value short, for example 10 Days -
but not with ~30/~60 and more.
More information about the Ach