I have a question about the renewal process of certbot/letsencrypt. Does it request a new certificate for the same private key, or does it generate a new private key every time?
I’m unclear on this from the user guide. It just says:
“During the renewal, /etc/letsencrypt/live is updated with the latest necessary files.”
“Note that options provided to certbot renew will apply to every certificate for which renewal is attempted; for example, certbot renew --rsa-key-size 4096 would try to replace every near-expiry certificate with an equivalent certificate using a 4096-bit RSA public key.”
which implies you can change the private key at renewal. The question is, does it always do so?
As an experiment, I tried “certbot --force-renewal”, and the shasum of privkey1.pem and privkey2.pem are different, so it appears to be generating a new key.
But since certbot can use an externally-generated csr, presumably you could stick with the same private key if you wanted to. Is my understanding correct?
Aside: the reason I have for this question is for a slightly odd application of letsencrypt: for RADIUS servers with wireless authentication. I can set up a webserver for “wireless.mydomain.com”, get a private key + cert for it, and then push them out to my RADIUS servers. The underlying issue is: on renewal, do I need to push out a new private key and cert, or just the renewed cert?