Certbot `--reuse-key` flag does not preserve public key

According to the documentation, it is possible to tell certbot to reuse the same private key that already exists in the current certificate. Thus I have been running the following command to renew certificates:

certbot renew
–rsa-key-size 4096
–no-self-upgrade
–dns-route53
–noninteractive
–reuse-key
–post-hook ‘systemctl reload nginx.service’

Nevertheless, the cert.pem is modified after this operation – when diffing it with its version before renewal. I would expect it not to change at all since the private key is being reused.

I need to reuse the same public key in order to avoid pinning issues with IOS, is there a way to actually preserve it?

2 Likes

Hi @sebashack

that’s

expected.

The cert.pem contains the CT log entry, informations about the intermediate certificate and a timestamp. And the signature -> new CT log entry + new timestamp -> new signature.

So the cert.pem is new. And the public key (part of cert.pem) is the same, these are two different things.

2 Likes

You can’t reuse a public “key” - only private keys can be reused.
Essentially if you reuse the public “key” you would have the exact same public cert (which can’t be modified nor renewed as that would alter it).

1 Like

I disagree with this. The public key and private key correspond to one another, so if the private key is reused, the public key is also reused. You can see this by looking at the public modulus in renewed certs that have reused their private keys. Although the certificate contents are different due to a new certificate serial number, new notBefore and notAfter dates, and a new CA signature, the public modulus (and exponent) will be the same.

1 Like

[we can all agree that your details are precise… but]

Given the level of understanding displayed, and the desired outcome contained, within the request:

I feel safe saying that my answer satisfies the curiosity at that level.

But your answer is just not correct.

Thank you all for your quick and precise answers, this was really helpful for me and my team to dissipate some concerns about how we are handling certificates.

Really?
Did you hear the question?

Yes. A valid answer would be something about the signing of the certificate with modified not before and not after dates ending up in a totally different file, even when using the same public key. Claiming a public key can’t be reused, even when using “quotes”, it’s just not correct. Blatantly lying in an attempt to answer a question just isn’t going to help anyone.

OK.
Then maybe getting the user to “clarify” the question instead of just assuming what they really wanted to know may be an improvement. And future readers can be better informed and educated as well…
[But I certainly don’t feel like a blatant liar, when answering the question as I did.]

I child asks ‘Where does Santa live?’ and you tell them 'In the north pole…"
Is that a ‘blatant lie’? Or is it ‘more’ or ‘less’ or just ‘something else’ altogether?
[Considering you’ve never been to the North Pole, and you may have never actually met Santa…]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.