According to the documentation, it is possible to tell certbot to reuse the same private key that already exists in the current certificate. Thus I have been running the following command to renew certificates:
Nevertheless, the cert.pem is modified after this operation – when diffing it with its version before renewal. I would expect it not to change at all since the private key is being reused.
I need to reuse the same public key in order to avoid pinning issues with IOS, is there a way to actually preserve it?
The cert.pem contains the CT log entry, informations about the intermediate certificate and a timestamp. And the signature -> new CT log entry + new timestamp -> new signature.
So the cert.pem is new. And the public key (part of cert.pem) is the same, these are two different things.
You can’t reuse a public “key” - only private keys can be reused.
Essentially if you reuse the public “key” you would have the exact same public cert (which can’t be modified nor renewed as that would alter it).
I disagree with this. The public key and private key correspond to one another, so if the private key is reused, the public key is also reused. You can see this by looking at the public modulus in renewed certs that have reused their private keys. Although the certificate contents are different due to a new certificate serial number, new notBefore and notAfter dates, and a new CA signature, the public modulus (and exponent) will be the same.
Thank you all for your quick and precise answers, this was really helpful for me and my team to dissipate some concerns about how we are handling certificates.
Yes. A valid answer would be something about the signing of the certificate with modified not before and not after dates ending up in a totally different file, even when using the same public key. Claiming a public key can’t be reused, even when using “quotes”, it’s just not correct. Blatantly lying in an attempt to answer a question just isn’t going to help anyone.
OK.
Then maybe getting the user to “clarify” the question instead of just assuming what they really wanted to know may be an improvement. And future readers can be better informed and educated as well…
[But I certainly don’t feel like a blatant liar, when answering the question as I did.]
I child asks ‘Where does Santa live?’ and you tell them 'In the north pole…"
Is that a ‘blatant lie’? Or is it ‘more’ or ‘less’ or just ‘something else’ altogether?
[Considering you’ve never been to the North Pole, and you may have never actually met Santa…]