> Am 01.09.2018 um 18:00 schrieb Leon Fauster via CentOS <centos at centos.org>: > > Out of curiosity - do you change also the private key every time?I?m pretty sure LE creates a new private key, too. From a cursory glance at lego?s certificate directory on a server with a couple of dozens of LE certificates at least. After all, changing the private key is what this is all about (showing that you?re still in charge).
On 9/1/18 1:12 PM, Rainer Duffner wrote:> > >> Am 01.09.2018 um 18:00 schrieb Leon Fauster via CentOS <centos at centos.org>: >> >> Out of curiosity - do you change also the private key every time? > > > > I?m pretty sure LE creates a new private key, too.I just checked on my box and confirm that yes, with every renewal of certificate new key is created. I should realize that fact even before looking, as it is asymmetric encryption pair, thus the new pair cert+key is generated (and the cert [request] gets signed). Valeri> From a cursory glance at lego?s certificate directory on a server with a couple of dozens of LE certificates at least. > > After all, changing the private key is what this is all about (showing that you?re still in charge). > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Am 01.09.2018 um 20:27 schrieb Valeri Galtsev:> I just checked on my box and confirm that yes, with every renewal of > certificate new key is created. I should realize that fact even before > looking, as it is asymmetric encryption pair, thus the new pair cert+key > is generated (and the cert [request] gets signed). > > ValeriYou are commenting on a specific ACME helper tool to create LE certificates? On my side the key stays the same. And as long as it is not compromised there is no need to change it. Alexander
On 01.09.2018 20:12, Rainer Duffner wrote:> >> Am 01.09.2018 um 18:00 schrieb Leon Fauster via CentOS<centos at centos.org>: >> >> Out of curiosity - do you change also the private key every time?when renewing a certificate the private key should also be changed; other ways the renewal because of short validity period doesn't make a sense ...> > > I?m pretty sure LE creates a new private key, too.depends on the implementation;
On September 2, 2018 1:12:58 AM GMT+07:00, Rainer Duffner <rainer at ultra-secure.de> :>I?m pretty sure LE creates a new private key, too. >From a cursory glance at lego?s certificate directory on a server with >a couple of dozens of LE certificates at least. > >After all, changing the private key is what this is all about (showing >that you?re still in charge).It doesn't hurt when the process is automated anyway but it's by no means necessary. The limited validity period limits how long an attacker can abuse the cert they should get hold of it. However if you have no reason to suspect a compromise, it's by no means necessary. It doesn't improve security (if you've been hacked in a way you don't notice, it's highly likely the new key would leave your system the same way the previous one did) and it's just one more thing that can go wrong of you so it manually. Cheers, Matthias