3

I am currently using certificates from StartCom for my hosted virtual server. Since StartCom's OCSP servers are quite unstable at times, I was considering moving to Let's Encrypt. Their service is also less troublesome to use.

As far as I found out, the Let's Encrypt certbot creates new key pairs when I request a new certificate, at least for the first time of using it.

Since my server is running with the HPKP header, I can't just replace the key pair, since I configured it to pin the public key.

Now my question is, can I tell the Let's Encrypt certbot to use a given key for the new certificates? Or is there another solution for switching to Let's Encrypt with HPKP?

Update: I just found a post on the Let's Encrypt community forum which says that it's is currently not supported by the Let's Encrypt client as of November 2015. https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625 The only option right now is to pin the intermediate public key, with a backup key for using with a different CA.

If someone knows some more recent news or has a different idea, I am happy to hear.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
comfreak
  • 1,501
  • 1
  • 21
  • 33

1 Answers1

4

After reading some more, I found out that the great "Scrott Helme" already has a tutorial on exactly my problem.

Basically, using a different ACME client called acme-tiny you can request a certificate with your own key and signing request.

Here is the link to the tutorial: https://scotthelme.co.uk/setting-up-le/

comfreak
  • 1,501
  • 1
  • 21
  • 33