Specifying certificates in master.cf

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Specifying certificates in master.cf

linkcheck
I have been running postfix for several years. The latest certificate has
almost run out so I switched to letsencrypt. Whilst installing the
certificate and key in master.cf it occurred to me to wonder if I wasn't
over-specifying their use. I have checked around the web and found nothing
like my setup for master.cf. I have the following for smtp and submission...

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=spamfilter
  -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
  -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem
  -o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
  -o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_auth_enable=yes
  -o receive_override_options=no_header_body_checks
#  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
  -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem
  -o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
  -o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem

Do I need smtp_tls_cert/key in the smtp section or is it superfluous/stupid?

Also, some time back I picked up the line...
  -o milter_macro_daemon_name=ORIGINATING
but never got around to implementing it. Is this something I should use? I
am unclear as to its purpose.






--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

@lbutlr
On Sep 30, 2019, at 7:53 AM, linkcheck <[hidden email]> wrote:
> I have the following for smtp and submission…

Seems like a lot.

This is all I have, in main.cf:

smtpd_tls_cert_file = /usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/dehydrated/certs/covisp.net/privkey.pem

>  -o milter_macro_daemon_name=ORIGINATING
> but never got around to implementing it. Is this something I should use? I
> am unclear as to its purpose.

It tells the filter that authenticated mail should be treated as it is locally originating. It is needed for most filters because otherwise they would treat new mail from local accounts as arriving mail, and everything goes pear-shaped in a hand basket of good intentions, so to speak.



--
"If this is the best God can do, I'm not impressed.”

Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Anton Rieger
In reply to this post by linkcheck
>smtp      inet  n       -       n       -       -       smtpd
>  -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
>  -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem
>  -o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
>  -o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem
>
>submission inet n       -       n       -       -       smtpd
>  -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
>  -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem
>  -o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
>  -o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem

In Postfix 3.4 ``smtp(d)_tls_chain_files'' got introduced.
It combines tls_key and tls_cert and their specific counterparts for non RSA certs.

You can use it as follows:
  smtp_tls_chain_files = /path/to/cert.pem, /path/to/anothercert.pem
(Can also be separated by just space)
And cert beeing of the form:
  key1,  cert1,  [chain1],  key2, cert2, [chain2], ..., keyN, certN, [chainN]

This is especially useful, if you're using  RSA and e.g. Ed25519

>Do I need smtp_tls_cert/key in the smtp section or is it superfluous/stupid?

Please note, that smtp(d)_tls_cert_file may also contain the RSA private key thus
specifying it again is redundant.

Please note:
smtpd_tls* is for receiving connections.
smtp_tls* is for outgoing connections.
You're specifying the same certificate thus makings it redundant.
You may shorten it to just two lines in your main.cf:

  smtp_tls_chain_files = /etc/letsencrypt/live/(name).pem
  smtpd_tls_chain_files = /etc/letsencrypt/live/(name).pem

Greetings
Anton
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Viktor Dukhovni
In reply to this post by linkcheck
On Mon, Sep 30, 2019 at 06:53:38AM -0700, linkcheck wrote:

>  I have the following for smtp and submission...
>
> smtp      inet  n       -       n       -       -       smtpd
>   [...]
>   -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
>   -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem

These are fine, but why set them in master.cf and not main.cf?

>   -o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
>   -o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem

These are useless here, only the first two are applicable to smtpd(8).

> submission inet n       -       n       -       -       smtpd
>   [...]
> #  -o milter_macro_daemon_name=ORIGINATING

Needed if you're doing DKIM signing with milters, otherwise harmless,
so best added just in case some day you start doing that.

>   -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
>   -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem

These are fine, but why set them in master.cf and not main.cf?  Are
the names different for SUBMIT vs. SMTP?  With Postfix 3.4 that
could also be handled via SNI, but with just two names, one could
be the main.cf default, with only one override in master.cf.

Also, I'd use variables:

  master.cf:
    -o smtpd_tls_cert_file=$submit_cert_file
    -o smtpd_tls_key_file=$submit_key_file

  main.cf:
    submit_cert_file = /etc/letsencrypt/live/(name).pem
    submit_key_file = /etc/letsencrypt/live/(name).pem

>   -o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
>   -o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem

These are useless here, only the first two are applicable to smtpd(8).

> Do I need smtp_tls_cert/key in the smtp section or is it superfluous/stupid?

The latter.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

linkcheck
In reply to this post by Anton Rieger
> In Postfix 3.4

Thanks, but I'm on 3.1.1 due to Ubuntu/Mint version.

> smtpd_tls* is for receiving connections.
> smtp_tls* is for outgoing connections.
> You're specifying the same certificate thus makings it redundant.
> You may shorten it to just two lines in your main.cf:

Thanks. Is that just for the smtp section? I understood from past reading on
the internet that I had to specify the cert data for smtp and submission as
well as in main.cf, hence my current master.cf.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

linkcheck
In reply to this post by @lbutlr
@lbutlr wrote
> On Sep 30, 2019, at 7:53 AM, linkcheck &lt;

> postfix@.co

> &gt; wrote:
>> I have the following for smtp and submission…
>
> Seems like a lot.
>
> This is all I have, in main.cf:
>
> smtpd_tls_cert_file =
> /usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem
> smtpd_tls_key_file =
> /usr/local/etc/dehydrated/certs/covisp.net/privkey.pem

Most of the installation info I have read online gives something similar to
my original posting for master.cf. I can understand removing the smtp_cert
lines from the smtp section (hence the question) but was not aware I did not
need any cert specifications in master.cf.

>  -o milter_macro_daemon_name=ORIGINATING

Thanks for the information. I will un-comment it.




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Viktor Dukhovni
> On Oct 1, 2019, at 9:21 AM, linkcheck <[hidden email]> wrote:
>
> Most of the installation info I have read online gives something similar to
> my original posting for master.cf. I can understand removing the smtp_cert
> lines from the smtp section (hence the question) but was not aware I did not
> need any cert specifications in master.cf.

See http://www.postfix.org/master.5.html (or man -s 5 master).

SYNTAX
    ...
    Command name + arguments
        ...
              -o name=value (short form)
                     Override  the  named main.cf configuration parameter. The
                     parameter value can refer to other  parameters  as  $name

                     etc.,  just like in main.cf.  See postconf(5) for syntax.

                     NOTE 1: With the  "long  form"  shown  above,  whitespace
                     after  "{",  around  "=",  and before "}" is ignored, and
                     whitespace within the parameter value is preserved.

                     NOTE 2: with the "short form" shown above, do not specify
                     whitespace  around  the  "="  or  in parameter values. To
                     specify a parameter value that contains  whitespace,  use
                     the  long  form described above, or use commas instead of
                     spaces, or specify the value in main.cf. Example:

                     /etc/postfix/master.cf:
                         submission inet .... smtpd
                             -o smtpd_xxx_yyy=$submission_xxx_yyy

                     /etc/postfix/main.cf

                         submission_xxx_yyy = text with whitespace...

                     NOTE 3: Over-zealous use of parameter overrides makes the
                     Postfix  configuration  hard  to understand and maintain.
                     At a certain point, it might be easier to configure  mul-
                     tiple instances of Postfix, instead of configuring multi-
                     ple personalities via master.cf.

Since the "-o" options are *overrides*, if an option has the
right value in main.cf, there is no need for an override.

The only practical exception that comes to mind is that the
smtpd_mumble_restrictions (for various values of "mumble")
should have defensive overrides in the submission entry of
master.cf (setting most of them empty).

This is because the submission restrictions almost never
match the inbound SMTP restrictions and once set rarely
need any changes, and it would be too easy to break the
former while making changes to the latter.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

linkcheck
In reply to this post by Viktor Dukhovni
Viktor Dukhovni wrote

> On Mon, Sep 30, 2019 at 06:53:38AM -0700, linkcheck wrote:
>
>>  I have the following for smtp and submission...
>>
>> smtp      inet  n       -       n       -       -       smtpd
>>   [...]
>>   -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
>>   -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem
>
> These are fine, but why set them in master.cf and not main.cf?

I have them all in main.cf as well but readings online mostly suggest adding
them to master.cf in various ways as well, often in the way I have it in
mine.


>>   -o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
>>   -o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem
>
> These are useless here, only the first two are applicable to smtpd(8).

Thanks. That was what I wondered.


>> submission inet n       -       n       -       -       smtpd
>>   [...]
>> #  -o milter_macro_daemon_name=ORIGINATING
>
> Needed if you're doing DKIM signing with milters, otherwise harmless,
> so best added just in case some day you start doing that.

Thanks. I will un-comment it.


>>   -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
>>   -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem
>
> These are fine, but why set them in master.cf and not main.cf?  Are
> the names different for SUBMIT vs. SMTP?  With Postfix 3.4 that
> could also be handled via SNI, but with just two names, one could
> be the main.cf default, with only one override in master.cf.

They all specify the same file pair. And I'm on 3.1.1 due to version of
Mint.


> Also, I'd use variables:

Is that possible in 3.1.1? Although if I only specify the certs in main.cf
that would probably be over-kill.


>> Do I need smtp_tls_cert/key in the smtp section or is it
>> superfluous/stupid?
>
> The latter.

Thanks.

I assume that does not apply to the files in main.cf.




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Viktor Dukhovni
> On Oct 1, 2019, at 9:43 AM, linkcheck <[hidden email]> wrote:
>
> I assume that does not apply to the files in main.cf.

Why assume anything, Postfix comes with documentation,
and there is also a decent book by No Starch Press,
which though dated on some bleeding edge new features,
covers all the basics.  The O'Reilly book is also fine.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

linkcheck
In reply to this post by Viktor Dukhovni
Viktor Dukhovni wrote
>> On Oct 1, 2019, at 9:21 AM, linkcheck &lt;

> postfix@.co

> &gt; wrote:
>
> See http://www.postfix.org/master.5.html (or man -s 5 master).
>
> Since the "-o" options are *overrides*, if an option has the
> right value in main.cf, there is no need for an override.

Thanks, Victor. I understand now.




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Matus UHLAR - fantomas
In reply to this post by linkcheck
>> In Postfix 3.4

On 01.10.19 06:13, linkcheck wrote:
>Thanks, but I'm on 3.1.1 due to Ubuntu/Mint version.

then, you need separate key and cert file.

>> smtpd_tls* is for receiving connections.
>> smtp_tls* is for outgoing connections.
>> You're specifying the same certificate thus makings it redundant.
>> You may shorten it to just two lines in your main.cf:
>
>Thanks. Is that just for the smtp section? I understood from past reading on
>the internet that I had to specify the cert data for smtp and submission as
>well as in main.cf, hence my current master.cf.

Not needed, unless you want to override globals.

Also, smtp_tls* is unneeded in smtpd config, since it's related to smtp
client. And, you probably don't authenticate to others using your
certificate, so it's apparently useless too.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Viktor Dukhovni
On Tue, Oct 01, 2019 at 05:59:19PM +0200, Matus UHLAR - fantomas wrote:

> >> In Postfix 3.4
>
> On 01.10.19 06:13, linkcheck wrote:
> >Thanks, but I'm on 3.1.1 due to Ubuntu/Mint version.
>
> then, you need separate key and cert file.

Actually, no.  With Postfix 3.x the default value of the key file
parameter is the cert file, and the same file can hold both the
cert and the key.

    $ postconf -d smtpd_tls_{cert,key}_file
    smtpd_tls_cert_file =
    smtpd_tls_key_file = $smtpd_tls_cert_file

What you don't get in 3.1.x is atomicity of key + cert updates
because the file opened and read twice, and support for chains for
multiple algorithms in a single file.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

linkcheck
Viktor Dukhovni wrote
> With Postfix 3.x the default value of the key file
> parameter is the cert file, and the same file can hold both the
> cert and the key.

Letsencrypt supplies 2 files. I don't think it combines them inso a single
one, though I may be wrong. I know it's possible to combine them on the
server but the auto-update of the cert then becomes complicated.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Viktor Dukhovni
> On Oct 1, 2019, at 12:39 PM, linkcheck <[hidden email]> wrote:
>
> Letsencrypt supplies 2 files. I don't think it combines them inso a single
> one, though I may be wrong. I know it's possible to combine them on the
> server but the auto-update of the cert then becomes complicated.

That's mostly OK.  You can use two files if you wish, there's a tiny
chance of a Postfix SMTP server reading a mismatched pair of key and
cert during a rollover, if you're changing both the cert and the key.

This can be avoided by staging a single file with both, which is
verified to have a matching key and cert before it atomically
replaces the live Postfix key + cert file.

Most users are very unlikely to see the race condition play out,
on their system but it probably happens to *someone* now and then,
(law of large numbers and all that...).

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Phil Stracchino
In reply to this post by linkcheck
On 10/1/19 12:39 PM, linkcheck wrote:
> Viktor Dukhovni wrote
>> With Postfix 3.x the default value of the key file
>> parameter is the cert file, and the same file can hold both the
>> cert and the key.
>
> Letsencrypt supplies 2 files. I don't think it combines them inso a single
> one, though I may be wrong. I know it's possible to combine them on the
> server but the auto-update of the cert then becomes complicated.

But that's pretty trivial to do as a post-update cerbtot hook.  Though I
don't see why postfix needs a single combined file anyway, having
separate cert_file and key_file settings already...?


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Phil Stracchino
In reply to this post by Viktor Dukhovni
On 10/1/19 1:18 PM, Viktor Dukhovni wrote:
> Most users are very unlikely to see the race condition play out,
> on their system but it probably happens to *someone* now and then,
> (law of large numbers and all that...).

Aaaaaah, good point.

Here's now I fix that for ejabberd, which REQUIRES a single file:

30 6,18 * * *           [[
/etc/letsencrypt/live/www.caerllewys.net/privkey.pem -nt
/etc/jabber/server.pem ]] && cat
/etc/letsencrypt/live/www.caerllewys.net/privkey.pem
/etc/letsencrypt/live/www.caerllewys.net/fullchain.pem >
/etc/jabber/server.pem && ejabberdctl restart

One could do something very similar for Postfix.  This can in theory be
set up as a certbot post-update hook, but in my experience the
post-update hook does not always reliably fire.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Viktor Dukhovni
> On Oct 1, 2019, at 1:27 PM, Phil Stracchino <[hidden email]> wrote:
>
> Here's now I fix that for ejabberd, which REQUIRES a single file:
>
> 30 6,18 * * *           [[
> /etc/letsencrypt/live/www.caerllewys.net/privkey.pem -nt
> /etc/jabber/server.pem ]] && cat
> /etc/letsencrypt/live/www.caerllewys.net/privkey.pem
> /etc/letsencrypt/live/www.caerllewys.net/fullchain.pem >
> /etc/jabber/server.pem && ejabberdctl restart
>
> One could do something very similar for Postfix.

Not similar, because unlike "ejabberd" which probably reads
the cert and key only on startup, Postfix starts new smtpd(8)
and smtp(8) processes as needed, and these reload the cert
at unpredictable times.

Postfix does not need a "reload" to get fresh certs, but ideally
the cert file should be updated atomically (write a new file and
rename into place).

As of Postfix 3.4, if you place both the cert and key into the
same file, the file is opened just once to read both, avoiding
the race condition, provided the file is updated atomically.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Phil Stracchino
On 10/1/19 1:34 PM, Viktor Dukhovni wrote:

> Not similar, because unlike "ejabberd" which probably reads
> the cert and key only on startup, Postfix starts new smtpd(8)
> and smtp(8) processes as needed, and these reload the cert
> at unpredictable times.
>
> Postfix does not need a "reload" to get fresh certs, but ideally
> the cert file should be updated atomically (write a new file and
> rename into place).
>
> As of Postfix 3.4, if you place both the cert and key into the
> same file, the file is opened just once to read both, avoiding
> the race condition, provided the file is updated atomically.

And actually, I just revisited my certbot configuration.  When last I
updated it, hooks didn't seem to work properly.  Now they do, and the
deed can be accomplished by creating a one-liner such as the following
in /etc/letsencrypt/renewal-hooks/deploy:

#!/bin/sh
cat /etc/letsencrypt/live/DOMAIN/privkey.pem
/etc/letsencrypt/live/DOMAIN/fullchain.pem > /destpath/COMBINED-STAGE.pem
mv /destpath/COMBINED-STAGE.pem /destpath/COMBINED-LIVE.pem


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Olivier Nicole-2
In reply to this post by Viktor Dukhovni
Viktor Dukhovni <[hidden email]> writes:

>> On Oct 1, 2019, at 12:39 PM, linkcheck <[hidden email]> wrote:
>>
>> Letsencrypt supplies 2 files. I don't think it combines them inso a single
>> one, though I may be wrong. I know it's possible to combine them on the
>> server but the auto-update of the cert then becomes complicated.
>
> That's mostly OK.  You can use two files if you wish, there's a tiny
> chance of a Postfix SMTP server reading a mismatched pair of key and
> cert during a rollover, if you're changing both the cert and the key.
>
> This can be avoided by staging a single file with both, which is
> verified to have a matching key and cert before it atomically
> replaces the live Postfix key + cert file.

But why letting let's Encrypt generate your key file?

Generate your own key file, so you can be sure that the private key has
never been seen by anymody.

Generate your csr and use that csr to have it signed by Let's Encrypt.

That way, you only get one certificate file to install, no risk of
atomic race gap.

The key and csr can be reused as much as you like, they don't expire
unless you want to do so, so it is 10 minutes well used.

Possibly, I check about it, but I haven't yet faced the case since I use
let's Encrypt, the intermediate ca could change, but in that case,
having your own key or a key provided by ;let's Encrypt woul dnot change
anything to the proble, you'd have to reinstall the new intermediate ca,
with a possible race condition in the mean time.

Best regards,

Olivier
--
Reply | Threaded
Open this post in threaded view
|

Re: Specifying certificates in master.cf

Thilo Molitor
Letsencrypt *never* generates keys for you.

He talked about the lezsencrypt client he uses, which generates a key locally, submits a CSR to letsencrypt and provides 2 files (the generated key and the obtained certificate) afterwards.

Am 2. Oktober 2019 04:25:44 MESZ schrieb Olivier <[hidden email]>:
Viktor Dukhovni <[hidden email]> writes:

On Oct 1, 2019, at 12:39 PM, linkcheck <[hidden email]> wrote:

Letsencrypt supplies 2 files. I don't think it combines them inso a single
one, though I may be wrong. I know it's possible to combine them on the
server but the auto-update of the cert then becomes complicated.

That's mostly OK. You can use two files if you wish, there's a tiny
chance of a Postfix SMTP server reading a mismatched pair of key and
cert during a rollover, if you're changing both the cert and the key.

This can be avoided by staging a single file with both, which is
verified to have a matching key and cert before it atomically
replaces the live Postfix key + cert file.

But why letting let's Encrypt generate your key file?

Generate your own key file, so you can be sure that the private key has
never been seen by anymody.

Generate your csr and use that csr to have it signed by Let's Encrypt.

That way, you only get one certificate file to install, no risk of
atomic race gap.

The key and csr can be reused as much as you like, they don't expire
unless you want to do so, so it is 10 minutes well used.

Possibly, I check about it, but I haven't yet faced the case since I use
let's Encrypt, the intermediate ca could change, but in that case,
having your own key or a key provided by ;let's Encrypt woul dnot change
anything to the proble, you'd have to reinstall the new intermediate ca,
with a possible race condition in the mean time.

Best regards,

Olivier