How does Let's Encrypt create the private key?

This is not done by the LE client - it would not make sense anyway.
From the start of the VM on it collects entropy and when the LE cert is generated (so after the user entered the commands to start this and so on) this entropy is used by OpenSSL to generate the cert.

I think I should mention another thing here, because it’s clearly important to know if you want to answer the question how the LE client generates this cert:

The LE client regenerates the key pair every time it renewals the certificate.

That’s especially important to know if you want to use HPKP.

We have some code to eventually allow either behavior; there’s no intention to force people to change their keys if they don’t want to (although we don’t yet have a command-line flag to renew without changing private keys). It’s true that changing the key could break pinning, and that’s one reason people might not want to do it.


that is nice… >adding for at least 20 chars<

@schoen maybe one more step towards automation for HPKP would be to start with making it so that when you obtain and generate an ssl cert, key and files at /etc/letsencrypt/live/* you also generate an optional HPKP pin text file at say /etc/letsencrypt/live/ and all it contains is the the pin hash from the private key’s SPKI field. Folks then can script it themselves to whatever they need reading the /etc/letsencrypt/live/ contents to form their HPKP headers for their web servers ?

It’s what I am doing for my LEMP stack’s auto vhost SSL generation for self-signed SSL and probably what I’d do once I integrate Letsencrypt and webroot authentication into my stack :slight_smile:

1 Like

@eva2000, I agree something like that would be pretty useful. We’ve had some preliminary discussions about how to implement HPKP or to help people do it themselves; one idea is to have a mode where the installer actually modifies the server configuration to set the header (presumably this wouldn’t be a default because it’s so dangerous!), but indeed some people might just want to get the information about what the header would be, in the right format. Your approach is one good one; another idea is just to have a verb or option that prints this interactively (like show-hpkp-instructions or --show-hpkp-instructions or --pinning-instructions?)

Do you know if we have an existing GitHub issue about this? If not, maybe we can open one (like “HPKP assistance”).


@schoen ah yes you could generate text files separately for 3 formats

  • hashed pin only text file
  • apache formatted hashed pin header
  • nginx formatted hashed pin header

folks could pick which they need to use themselves - as HPKP is dangerous probably something end user wants to implement themselves. Having instructions / help could also serve to inform and outline what HPKP is and dangers and how to implement.

As to issue tracker closest is - probably needs a separate label of it’s own for HPKP for related issues ?

Maybe I should ask about this in the forum thread about HPKP, where it’s much more on-topic!

1 Like

yeah if you can move the posts :slight_smile:

Another aspect of “how LE creates the keys”… This time it’s about different keys, but it’s still good to know:

1 Like