Live cert does not match with key

Hi,

I'm renewing a live cert for my domain using a key generated some time back

https://crt.sh/?q=wp.e115.com

After saving the cert, I used PHP openssl_x509_check_private_key() between the cert and key, however it returns false, i.e. the cert does not match with the key.

Any idea why this is happening?

1 Like

Hi @bilogic,

With most ACME clients, if you don't specifically tell them to reuse the same private key, they will always generate a new one for each renewal. For example, this is true for Certbot if you don't specifically supply the --reuse-key option.

1 Like

It's my own code, while I'm a #lowcode guy, the custom code is avoid a 1 hour per domain wait time due to my DNS provider's TTL because I'm using wildcard certs which requires DNS01.

Perhaps my question is, isn't the cert renewed based on my CSR (which is paired with my key)?
How is it that I end up with a cert that does not match the key?

PS I'm looking to see if I submitted a wrong CSR, but clarifying my understanding above will help alot.

Thank you.

1 Like

Yes, it is, Let's Encrypt does not get nor use the private key, but signs (a form of) the CSR.

Without looking at the core you're using, it's hard to say.

2 Likes

If your Let's Encrypt client does submit a (pre-existing) CSR, then yes, the private key should not change. But again, note that this isn't the default behavior of the great majority of Let's Encrypt clients, so unless you specifically selected a particular CSR and asked for a new certificate based on that, it probably wasn't re-used.

1 Like

Ok thanks. So my understanding of CSR, KEY and CERT seems correct. And I found the cause of my issue: the CSR did not match the KEY.

On to the next area of concern, my design was to reuse the CSR. Rationale was to avoid having to update the KEYs.

Is this bad practice?

2 Likes

It's totally fine from the certificate authority's point of view, but it may not match up well with the workflow expected by most client software, in which case you may end up finding it difficult or cumbersome. Most Let's Encrypt clients don't make it especially convenient to provide your own CSR at all.

1 Like

Hard to say without knowing a lot more about your environment and more... but likely not "bad".
But it can be said, in general, that changing keys is usually regarded better than not changing keys.
How much better? - this depends entirely on your security posture
Is it worth the effort? - this depends on the difficulty within your design/use and much on your own opinion

1 Like

The word bad was specifically chosen to surface things I don't know yet. :slight_smile:
Anyway, I kind of know how to take this forward. Thank you very much.

2 Likes

Probably not a problem if @bilogic is writing his/hers own client :wink:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.