Hi Michael, On Wed, Nov 27, 2024, 15:59 Michael Richardson <mcr+i...@sandelman.ca> wrote:
> I'm unclear from reading 8555 if this key is retained across orders > (like a renewal 60 days later), or if a new key is generated each time. > Is the newAccount key always the same key as the CSR key? > The account key is almost never the same as the CSR key -- they serve different purposes and have different security properties, so the same key should not be used for both. In fact, Let's Encrypt rejects CSRs which contain a pubkey that is also in use as an account key. my /etc/letsencrypt/keys has 138 key files, which appear to be from each > time > certbot has run and done something (since 2018ish). They seem to be the > private keys associated with the certificates that were issued. > The /etc/letsencrypt/keys directory is just a backup of every certificate keypair that certbot has used. It does not contain account keys, only certificate keys. It has so many because certbot implements a good best practice of rotating the certificate keypair every time it requests a new certificate. I think that in effect, due to the newAccount and way in which JWS are used > for authentication, that every single ACME transaction **already** does > PoP for > the private key involved. > So in short, no: possession of the account key is of course proved, but possession of the certificate key is not. Aaron
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
