Let's Encrypt with existing key pair

Discussion in 'Installation/Configuration' started by skriptura, Nov 28, 2016.

  1. skriptura

    skriptura New Member

    Hi!
    Currently, our server runs numerous websites using commercial TLS certificates, which are going to expire within the next months and years. We would like to replace these certs with Let's Encrypt certificates while preserving the key pair in order not to break HPKP. What is the best way to switch to LE within these constraints? As a side note, all these websites were created before the upgrade to 3.1, so they're (presumably) still using the old vhost template.
    Thanks in advance!
     
  2. NdK

    NdK Member

  3. skriptura

    skriptura New Member

    True, (temporarily) pinning the Let's Encrypt root might be an option. However, I'd prefer not to do that permanently, since pinning anything but the leaf certificate kind of defeats the purpose of HPKP, IMO. Then the next question would be: Can I influence certbot's/ISPConfig's behavior such that it will not generate a new key on each cert renewal, but use the existing key (for example by adding an option to /etc/letsencrypt/cli.ini or some ISPConfig conf file)?
     
  4. NdK

    NdK Member

    I don't think so -- at least I couldn't find any option to explicitly do it. Probably certbot generates new keypairs at every renewal for security reasons.
    You could try using --csr to use an existing CSR (reusing the keypair at least for first LE cert) but you'll have to do some scripting in post-renew hook because filenames have a prepended integer...
     

Share This Page