Meaning of the --key-path parameter


I requested a certificate with the --key-path parameter pointing to a key in /etc/ssl/private, thinking that I could use a long-lived key and public key pinning that way.

The certificate was issued, but for a newly generated key in /etc/letsencrypt/live. Oddly enough, the key I specified is referenced in a config file in /etc/letsencrypt/renewal.

Can I change the config in /etc/letsencrypt/renewal to reference the generated key and delete the one I initially intended to use, or would that be shooting myself in the foot?

Also, did I misunderstand what the --key-path parameter is used for?


Unfortunately, it looks like at this stage that “currently, --key-path can not be used to specify a private key for cert creation.”

There are some plans to implement it: see Allow cert creation with specified key #1491.

I’m not sure that you can change the configuration in the renewal file. Perhaps try it and see!