I would prefer not to have my privkey.pem file stored in the clear.
When using certbot (certonly and standalone), is there an option to have the privkey.pem file be encrypted using a passphrase?
Certbot does not have that functionality. Maybe you could write a script to do that and call that script after issuance using --deploy-hook?
Note that services would need the password to the private key too. It's not very practical to have to manually enter the password for the certificate on every start of the service using the private key and having the password in a configuration file makes it quite useless: if an attacker has access to the private key, it would have root access to your server and thus would have access to said configuration file.
Also, if an attacker has access to the private key, i.e.: root acces, I wouldn't worry about access to the non-encrypted private key. Your entire server would be compromised.
5 Likes
... and that means the attacker can replace the private key with their own, perform http-01 validation, and disable PFS ciphersuites. A real mess.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.