Add a Public-Key-Pins HTTP header with the leaf public key, and some public keys of offline backup key pairs.
Using out-of-the-box Let's Encrypt with auto-renew will cycle through new public keys every month or two. We can't pin to a moving target, so we need to either automate using the --csr flag to certbot, or use something like acme-tiny (blog post).
Add a
Public-Key-Pins
HTTP header with the leaf public key, and some public keys of offline backup key pairs.Using out-of-the-box Let's Encrypt with auto-renew will cycle through new public keys every month or two. We can't pin to a moving target, so we need to either automate using the
--csr
flag tocertbot
, or use something likeacme-tiny
(blog post).