How to get certificates which were lost?


#1

Hello,

I wonder to know how it is possible to get account’s certificates if I have only account private key. I.e. assuming I have removed everything except account private key. Now I need to get my certificates back. Is it possible?

Sincerely,
Alexandr


#2

Hi @porunov

Since all Let’s Encrypt certificates are submitted to Certificate Transparency logs you can use the crt.sh front-end to find your certificate.

Start with a search for your domain name (e.g. for helloworld.letsencrypt.org). From there, click the crt.sh ID for one (e.g. the most recent helloworld). When viewing the cert details you can click the “Certificate:” label (right above “Data:”) and it will download the certificate as a .crt file containing the PEM encoding of the Certificate.

Hope that helps!


#3

If you only have the account private key, you lack the private key that goes with the certificate itself, and without that key the certificate is useless and you must start over. If you’ve only loss the actual certificate then @cpu has the solution for you.


#4

Agreed! I misread and thought you had the certificate private keys. With only the account private keys what I recommend will not work - you will be able to retreive the missing certificates but won’t be able to use them for anything without the corresponding private key. There isn’t a way to recover your certificate private keys with the account key.

Thanks for catching that @tialaramex!


#5

Thank you very much for help!

So, I can’t now revoke my certificates? Do you know any solution know how to revoke certificates or remove them or something like that?

Sincerely,
Alexandr


#6

I don’t think revocation is appropriate in this case unless you believe the private keys have been compromised by another party. If you’ve lost them and don’t suspect they are compromised I would just issue new certificates and allow the “lost” ones to expire naturally. Revocation adds load to our service and shouldn’t be used unless required.

With that said, on the server-side, since Boulder #2319 its possible to revoke an existing certificate by setting up valid authorizations for all of the contained domains using a new account key and then asking the server to revoke the existing certificate. Unfortunately I don’t think any ACME clients are exposing this functionality so it would be a complex endeavour to utilize it for your certificates.


#7

I don’t need a special client for that. If there is an API or something like that which allow us to get certificates by account private key or something like it would be enough. I can use “curl” or java’s libraries.


#8

There isn’t an API to “get certificates by account private key”. The support I mentioned was strictly for revoking a certificate by using “an account key that is authorized to act for all of the identifier(s) in the certificate.” You can read about this API in the ACME-04 draft, Section 6.6, “Certificate Revocation”.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.