Install Let's Encrypt with existing private key


Hello to everyone i want install letsencrypt on my test server, i have my public and private key which i want to use . The idea is that i can still from my test server connect to url of my real server where i have uploaded the public keys.I am using Apache2 for server and Haproxy for load balancing(both with SSL). What is the best way to achieve this ?


Hi @Dzoniii

please start with “Overview”:

Then select a client.


There are clients out there which re-use the private key used previously (certbot when used with the --reuse-key option and also, but from the top of my head I’m not familiar with clients which can import a key. Unless someone knows a client with such a feature, you should check the clients from the list @JuergenAuer provided and see if the client makes importing an existing private key possible. Or at least not very difficult.

I suspect certbot would need an issued certificate first to re-use the key. What could be a working option is:

  • install certbot (see
  • get a certificate issued with certbot without caring about the keys, just get it working. Use --staging for test certificates first
  • manually exchange the PEM formatted private key in /etc/letsencrypt/archive/name-of-your-certificate/privkey1.pem with your own PEM formatted private key
  • renew the certificate with certbot renew --reuse-key
  • check if the public key in the renewed certificate corresponds with your own public/private key

If the above checks out (with the --staging option for testing), you can remove the test certificate and do the above again, but without --staging to get a real working certificate.


Certbot can also use the --csr flag to specify a CSR, which effectively “imports” a key, however this flag also precludes most of Certbot’s certificate management options.

@Dzoniii, I’m not entirely sure I understand this requirement, though. Could you elaborate more on why you think you need to use this specific private key? You’ll still need to upload the signed certificate after it’s created anyway, so why not replace the private key as well?


I am thinking of this approach because i want to be able to access my server in my test machine.So if i reqeust a new CA i will be not able to access.


But you can use your certificate direct.

Does this

mean, that you have your public certificate (with your public key) and your private key from your webserver? If your webserver uses already a certificate, you can use this local.


I do have certificates, so it is not possible to use same certs in two servers


It is possible. Simple copy the certificate and the private key and use them local.


Thank you so much @ JuergenAuer


That last part is exactly the reason why I would never advise the --csr method, unless I really really really had a good reason to do so :wink:

In fact, I would even go as far as claiming using certbot with the --csr option is a mistake compaired with a similar feature on a “thin” bash client. certbot is a great client because of all the automated implementations with its plugins. With the --csr you’re practically using just 0.1 % of the features of certbot. You’d be better of using a less heavy client when you’d need the --csr option.


This is how I do it. It does not modify your server config, just gets the necessary cert.

I actually am planning to update it to regenerate private key whenever it is a new calendar year rather than when it is X days old.

You’ll need to edit the CSR generation part for your own needs (e.g. country, state, city, etc.). The script supports single cert for multiple domains. And it makes a cert that tells the browser to require OCSP stapling.