This is not done by the LE client - it would not make sense anyway.
From the start of the VM on it collects entropy and when the LE cert is generated (so after the user entered the commands to start this and so on) this entropy is used by OpenSSL to generate the cert.
I think I should mention another thing here, because it's clearly important to know if you want to answer the question how the LE client generates this cert:
The LE client regenerates the key pair every time it renewals the certificate.
That's especially important to know if you want to use HPKP.
We have some code to eventually allow either behavior; there's no intention to force people to change their keys if they don't want to (although we don't yet have a command-line flag to renew without changing private keys). It's true that changing the key could break pinning, and that's one reason people might not want to do it.
3 Likes
that is niceā¦ >adding for at least 20 chars<
@schoen maybe one more step towards automation for HPKP would be to start with making it so that when you obtain and generate an ssl cert, key and files at /etc/letsencrypt/live/domain.com/* you also generate an optional HPKP pin text file at say /etc/letsencrypt/live/domain.com/hpkp.txt and all it contains is the the pin hash from the private key's SPKI field. Folks then can script it themselves to whatever they need reading the /etc/letsencrypt/live/domain.com/hpkp.txt contents to form their HPKP headers for their web servers ?
It's what I am doing for my LEMP stack's auto vhost SSL generation for self-signed SSL HTTP Public Key Pinning - HPKP for Centmin Mod Nginx SPDY / HTTP/2 and probably what I'd do once I integrate Letsencrypt and webroot authentication into my stack 
1 Like
@eva2000, I agree something like that would be pretty useful. Weāve had some preliminary discussions about how to implement HPKP or to help people do it themselves; one idea is to have a mode where the installer actually modifies the server configuration to set the header (presumably this wouldnāt be a default because itās so dangerous!), but indeed some people might just want to get the information about what the header would be, in the right format. Your approach is one good one; another idea is just to have a verb or option that prints this interactively (like show-hpkp-instructions or --show-hpkp-instructions or --pinning-instructions?)
Do you know if we have an existing GitHub issue about this? If not, maybe we can open one (like āHPKP assistanceā).
2 Likes
@schoen ah yes you could generate text files separately for 3 formats
- hashed pin only text file
- apache formatted hashed pin header
- nginx formatted hashed pin header
folks could pick which they need to use themselves - as HPKP is dangerous probably something end user wants to implement themselves. Having instructions / help could also serve to inform and outline what HPKP is and dangers and how to implement.
As to issue tracker closest is https://github.com/letsencrypt/letsencrypt/issues/729 - probably needs a separate label of itās own for HPKP for related issues ?
Maybe I should ask about this in the forum thread about HPKP, where it's much more on-topic!
1 Like
yeah if you can move the posts 
Another aspect of "how LE creates the keys"... This time it's about different keys, but it's still good to know:
1 Like