This page is a work in progress!!
This page contains some details on how to renew certificates with Let's Encrypt using the same key, which is very helpful in supporting authentication via a SPKI pinset. Thanks to Willem Toorop and Ralph Dolmans at NLnet Labs for developing this!
Use the certbot interface to renew the cert, for exampe
https://dehydrated.de/ is a great tool for automating the renewal workflow, particularly if you want to use the DNS challenge method, rather than web access.
Private keys are then stored in
The SubjectAltNames are then enumerated in the file
Add one line in this for each 'group' of names that should share a certificate e.g
Then the challenge record needs to be provisioned in the corresponding zone in a record of the form _acme-challenge.<domain name>
The domain acme.example.com is then hosted only on the server that also runs dehydrated.
A script can then be used to deploy and clean the challenge in this domain. An example script is included below