Let’s Encrypt continued

The first cer­ti­fic­ate I’ve ordered during the closed beta phase has been replaced now. HPKP is enabled again. With the standard Let’s Encrypt (LE) procedure, a new private key is generated every time a new cer­ti­fic­ate is issues.

In order be able to enable HPKP again, you either need to use the standard LE client with a pre­vi­ously created CSR or use some other client.

With the LE client, that would mean: letsencrypt-auto certonly -a manual --csr {csr} as outlined in an article by Thomas Leister (in German).

One very nice altern­at­ive client is acme-tiny. I’ve decided to follow that route. It’s quite nicely outlined in a post by Scott Helme.

I still haven’t estab­lished a proper key turnover procedure for standard TLS cer­ti­fic­ates and for DNSSEC (where the key regis­tra­tion with the TLD is the most chal­len­ging and time-intensive task, depending on your provider). That’s some project for rainy, boring