This page is a work in progress!!

This page contains some details on how to renew certificates with Let's Encrypt using the same key, which is very helpful in supporting authentication via a SPKI pinset. Thanks to Willem Toorop and Ralph Dolmans at NLnet Labs for developing this!

Manual renewal

  1. Create your new CSR from your existing private key using 'openssl req'

    opensssl req -new -key <my_key_file>
  2. Use the certbot interface to renew the cert, for example using web authenticaiton 

    certbot certonly -d getdnsapi.net --csr /usr/local/certs/getdnsapi.net.csr --webroot -w /home/website/public

    or using dns challenge

    certbot certonly -d getdnsapi.net --csr /usr/local/certs/getdnsapi.net.csr --preferred_challenges dns --manual

Automated renewal

https://dehydrated.de/  is a great tool for automating the renewal workflow, particularly if you want to use the DNS challenge method, rather than web access.