How do I replace my account key (private_key.json)?

I’ve been integrating and testing an automated renewal system for my website (I’m using Rails on Heroku, so getting certificates through Certbot is a messy certonly affair). To do that, I extracted the private_key.json file from a subdirectory of /etc/letsencrypt/accounts, converted it to PEM, and checked it in to my source repository.

I thought that when I did this, I put a passphrase on the PEM file so the repository alone couldn’t grant access to my Let’s Encrypt account. However, I later discovered that it somehow was not passphrased, and so my account’s private key is unprotected in my repository. Embarrassing, but it happens sometimes.

This is not an immediate disaster—as far as I know, my source code hasn’t leaked—but it does call for me to replace my account key with one that’s still secret just in case it leaks later. How do I do that? I can’t seem to find a command in Certbot or a feature on the Let’s Encrypt website that would perform this task.


(I’m using certbot 0.9.3 on macOS Sierra to manage the account. What I’m doing on the server probably isn’t relevant to this question, but there I’m using the acme-client gem version 0.3.7.)

Is there any reason you can’t just use a new account key ? That’s probably the easiest method.

ACME does allow you to change the account key ( see ) however the acme-client you are using doesn’t support that, hence why my suggestion is to just change the key and create a new account.

Maybe. What happens if I do? Can the old account still issue certificates for those domains?

If that is a viable solution, how do I do it? Just re-register and re-authorize the domains?

The old account is "authorized" for some of those domains - so can issue certificates without re-validating the domain. This period of time is currently 60 days ( I believe the aim is to reduce that to 60 days). Assuming your account key hasn't already been compromised there is no issue with that though. If you thought it was, then you can deactivate those authorizations.

Essentially, yes. Simply use the new account key when it's time to renew a domain, and it will automatically validate it through the normal process.

Unless you have already agreed an exception to the rate-limits with Let's Encrypt for your account, then I can't think of any down-side to just changing it and using a new key from now on.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.