On Sun, Jun 29, 2025 at 09:00:30AM +0000, Fehlauer, Norbert via mailop wrote:
> Thanks for your detailed answer. So create a "selfsigned cert", get
> the hash for TLSA record and publish it and when the time for
> expiration for the first certificate comes, I generate a new CSR from
> the selfsigned cert let this one sign from a public ca, right?
I don't understand what you have in mind. The above is terse and uses
terminology in a fuzzy way I can't quite pin down.
What do you need the "self-signed" cert for? You can just keep using
the original CSR, or create a new CSR on the fly holding the public key,
obtained from the stable private key. So it is really just the private
key you need to retain.
One way or another publish new TLSA records first, then after a few TTLs
activate the key + cert, then drop stale TLSA records. Repeat...
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
