Does short-lived certificates (with the same key) break TOFU in gemini?

I am thinking about creating a gemini page for myself, in addition to the existing web page. I want to use the same TLS certificate for both sites. The possible problem is that the certificate for the web PKI changes every few months (but the key does not change under my setup). Will this break TOFU for gemini clients? Thanks!

🛞 wsb

2023-11-26 · 6 months ago

4 Comments ↓

🕹️ skyjake [...] · Nov 26 at 16:21:

Some clients will trust certificates based on the public key fingerprint, for example Lagrange does so.

This is up to the client to decide, however. The specification does not mandate any specific behavior. So, switching certificates while keeping the key will cause a significant number of clients to not trust your capsule.

🛞 wsb [OP] · Nov 26 at 22:55:

Thanks skyjake for the reply (and for Lagrange, by which I post this)! Well, I guess it's over for sharing the TLS certificate.

👤 AnoikisNomads · Nov 28 at 20:07:

I use amfora as gemini browser on my computer and yes, short-lived certificates break trust. this renders the whole certificate thing mostly useless. I've created a self-signed cert on my gemini capsule that'll expire in 100 years, that'll do.

🛞 wsb [OP] · Nov 28 at 21:41:

Thanks for the info!