If you are running DNSCrypt infrastructure and using Yecheng Fu’s dnscrypt-wrapper then this means that at some point you generated a certificate, which is valid for 365 days. If the expiry date is coming soon, you need to regenerate it. In order to do it as easy for the users you need to:

  • retain the provider key pair is as it is – don’t touch it!
  • create a brand new crypt key pair to regenerate the certificate
  • have users restart the client proxy software

Let’s regenerate the certs


  • I kept my keys in /etc/dnscrypt/keys
  • I didn’t change the provider and crypt key pairs, so they are: provider_secret.key, provider_public.key, crypt_secret.key and crypt_public.key

Here’s how I’ve done that today for DNSCrypt Poland.
# cd /etc/dnscrypt
# cp -Rp keys keys.backup-`date +%F`
# cd keys
# dnscrypt-wrapper --gen-crypt-keypair
# dnscrypt-wrapper --crypt-secretkey-file crypt_secret.key --crypt-publickey-file=crypt_public.key \
--provider-publickey-file=public.key --provider-secretkey-file=secret.key --gen-cert-file > cert.txt

Et voilà! You have a backup, the provider keys are retained, the crypt keys are recreated, the certificate is brand new and in the cert.txt file you will have your certificate in DNS TXT format.

All that remains to add the certificate to DNS TXT record, restart your dnscrypt-wrapper and have your users restart client software. You can also do it outside of business hours. Alternatively, because dnscrypt-proxy does hourly polls for the certificate, it will come up without restarting at exact 60-minute intervals from the start. This came up during testing of renewal of our certificates which you can read about in the service announcement.

If you like this or you have any comments, please let me know in comments below or on twitter.