This page is a work in progress!!
This page contains some details on how to renew certificates with Let's Encrypt using the same key, which is very helpful in supporting authentication via a SPKI pinset. Thanks to Willem Toorop and Ralph Dolmans at NLnet Labs for developing this!
Use the certbot interface to renew the cert, for exampe
https://dehydrated.de/ is a great tool for automating the renewal workflow, particularly if you want to use the DNS challenge method, rather than web access.
An example configuration file is:
Private keys are then stored in
The SubjectAltNames are then enumerated in the file
Add one line in this for each 'group' of names that should share a certificate e.g
Then the challenge record needs to be provisioned in the corresponding zone in a record of the form
If you have many zones it can be helpful to use CNAMES to redirect to a single zone that can hold the acme_challenge records e.g. <domain>.acme.example.com
The domain acme.example.com is then hosted only on the server that also runs dehydrated.
A script can then be used to deploy and clean the challenge in this domain. An example script is included below