• 1 Post
  • 29 Comments
Joined 1 year ago
cake
Cake day: July 7th, 2023

help-circle


  • Also delete your expired certificate if you have one (for example after a year)

    This is likely a bad mistake. Keep the old cert around.

    There’s two possibilities:

    The first possibility is that Actalis uses the same key pair for the new cert. This is not a great approach because it doesn’t defend against a leaked key or key overuse. After all, if the key can be trusted longer than a year, the first cert they issued should be valid for longer.

    The second, and much worse possibility, is that renewing the cert gets a different private key. This can case data loss. Deleting the old identity means you lose the ability to decrypt any messages that were encrypted using that key! Even if your mail client stores the previously encrypted emails in decrypted form, you may receive a new email from a sender who does not yet have your new cert.