This page is a work in progress!!
This page contains some details on how to renew certificates with Let's Encrypt using the same key, which is very helpful in supporting authentication via a SPKI pinset.
This assumes that you will use certbot in conjunction with Let's Encrypt and you have an existing key <my_key_file> that was use to sign the previous certificate.
Create your new CSR from your existing private key using 'openssl req'
Use the certbot interface to renew the cert using the same key, for example using web authenticaiton
or using dns challenge
For the dns challenge mode, step 2 outputs a TXT file that must be added to the corresponding zone <my_authentication_name> before the certificate can be issued and instructs something like:
Manually add the TXT record and wait until it has propagated e.g. use dig to 126.96.36.199 to obtain the new TXT record.
Restart the nameserver or proxy to have it use the new certification.
There are a number of ways to do this but one common one is to use https://dehydrated.de/ It is nice for automating the renewal workflow, particularly if you want to use the DNS challenge method, rather than web access. Thanks to Willem Toorop and Ralph Dolmans at NLnet Labs for developing this automated solution!
An example configuration file is:
Private keys are then stored in
The SubjectAltNames are then enumerated in the file
Add one line in this for each 'group' of names that should share a certificate e.g
Then the challenge record needs to be provisioned in the corresponding zone in a record of the form
If you have many zones it can be helpful to use CNAMES to redirect to a single zone that can hold the acme_challenge records e.g. <domain>.acme.example.com
The domain acme.example.com is then hosted only on the server that also runs dehydrated.
A script can then be used to deploy and clean the challenge in this domain. An example script is included below