New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
please let me reuse a key during cert renewal #3788
Comments
There is already a flag |
The CLI entry for
The |
@dkg send us a pull request! |
There's also a technical use case for this (be it I think |
I agree with @thomaszbz. |
Unless I am much mistaken, users of HPKP (HTTP Public Key Pinning) would also greatly benefit from With HPKP, in order to migrate from one public key to another, it is necessary to adapt the server's secondary This is definitely not something you would want to do every three months. |
Yes indeed, but HPKP is dying and DNSSEC/DANE is what people should be focusing on. ;) |
I second --reuse-key for DNSSEC/DANE usage, especially if you could make it stick so that, when running a general "renew", the certificates that were created with --reuse-key will be renewed with the same option set (as "renew" promises to do anyway). So it needs to be an option for the "run" and "certonly" subcommands as well, and not just for "renew"; in these cases, --reuse-key would create the key as usual, but would mark the certificate so that the key will not be changed during future renewals. |
Thinking again, if you want to support DANE, you also need to implement another piece of the picture. You have to be able to rollover the private key every now and then! And at the same time, you have to generate the new key without making it go live immediately, because, once you create the new key, you need to extract the TLSA record, put it into the DNS and let it propagate, before being able to use it. So what I would propose is this: for certificates created with the |
This allows users to reuse the private key used for signing a cert (--reuse-key option) or specify their own private key to use for signing (--key-path option).
This allows users to reuse the private key used for signing a cert (--reuse-key option) or specify their own private key to use for signing (--key-path option).
This allows users to reuse the private key used for signing a cert (--reuse-key option) or specify their own private key to use for signing (--key-path option).
Willem Toroop points out to me that with a static key and CSR, this is easy to do in a one-shot way with:
however, this doesn't come with all the nice timing/analysis that you get from |
I have a cert that needs to keep the same public key over a couple years at least.
I like the short cert lifetimes, i just want to renew with the same public key.
But certbot automatically generates a new key at each renewal event. Please give "certbot renew" the option of re-using the existing key.
The text was updated successfully, but these errors were encountered: