[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today

Gunnar Haslinger gh.bettercrypto at hitco.at
Fri Mar 17 11:30:18 CET 2017

Am 2017-03-17 10:24, schrieb Hanno Böck:

> HPKP is a nice feature, but it absolutely requires a solid
> understanding and a good plan to avoid its pitfalls. If you're not
> capable of having a good keyrolover plan then you shouldn't deploy 

I already agreed to this before.

But you still require to use the CertBot with a CSR and not in the 
"straight-forward new-key" way, because you have to use pre-generated 
and pre-deployed Keys.

Let's try an example:

HPKP Max-Age: for example 60 days
Let's Encrypt Certs are valid for 90 days, but let's say we like to 
renew every ~70 to have some spare time.

=> that means, you have to pre-deploy at least 2 unused backup Keys in 
you HPKP-Header.

initial Deployment:
1. Generate an LE-Cert with a fresh PrivateKey and use it for your 
2. Generate at least 2 additional fresh RSA-Keypairs for later and store 
them on a save (offline) place
3. Deyploy a Pinning for these 3 Keys in your HPKP-Header

after ~70 Days you have to renew your LE-Cert:
-> Using the certbot in a straight-forward way is not suitable!
-> You have to use one of your 2 pre-deployed Backup keys, not a fresh 
=> So, you have to use CSR mode with one of the 2 prepared Backup-Keys, 
do it with a CSR as I described in my blog

1. Generate at least 1 additional fresh RSA-Keypair for later and store 
it again on a save (offline) place
2. Add this new generated, unused Key to HPKP-Header
3. Change Webserver-Certificate to the new one you got by using LE in 
CSR-Mode with the Backup-Key
4. Remove the now unused old Key from HPKP-Header

For the next Renewal, same procedure, but be aware:
The prepared Keypair used for your next Key-Change has to be Pre-Deployd 
in your HPKP-Header for at Least Max-Age days (60).

If you don't like to use the CSR-Mode and like to use the LE-CertBot in 
"straight-forward" mode:
You cannot use HPKP Max-Age 60 Days, because you would have to wait for 
60 days after adding the new key before actually using the cert. So only 
little remaining time left until it has to be renewed again. You maybe 
can do this, if you keep the Max-Age Value short, for example 10 Days - 
but not with ~30/~60 and more.

best regards,

More information about the Ach mailing list