alt Hacker NewsNo? With let's encrypt the certificate is rotated, but the private key remains the same, and importantly, let's encrypt never gets to see it, and anything is logged.
No? With let's encrypt the certificate is rotated, but the private key remains the same, and importantly, let's encrypt never gets to see it, and anything is logged.
I said “typically” because Let’s Encrypt doesn’t control key rotation: the issuance managing client (like Certbot) does.
But AFAICT, Certbot has rotated private keys automatically on reissuance since at least 2016[1]. There’s no reason not to in a fully automated scheme. I would expect all of the other major issuing clients to do the same.
[1]: https://community.letsencrypt.org/t/do-new-private-keys-get-...