Prevent public key changin when renewing SSL certs


#1

Hi.

For my iOS and Anroid application I want to implement SSL pinning by a public key. But when the certs are renewed, the public key is also changed. Is it possible to prevent this behaviour?


#2

Yes, generally.

What client are you using ( including version )


#3

That behaviour is client-specific. certbot currently does not have a way for you to instruct it to keep re-using the same key during renewal, though it is planned at some point, I believe. It does have an option to use a custom CSR for a certificate request via the --csr flag (which you could generate manually using openssl). However, this is not compatible with the renew subcommand, and you’d have to take care of managing the paths to your certificate files and such yourself as they wouldn’t be stored in the regular /etc/letsencrypt/live/example.com/cert.pem schema.

I would personally opt for a different client to avoid some of that complexity unless you’re in need of the automatic web server configuration feature certbot offers. You can find the list of clients here.

Personally, I would go with lego. The renew command supports a reuse-key flag.


#4

Thanks! We are using certbot (letsencrypt 0.9.3) on a Ubuntu 16.04 running Apache2.


#5

or GetSSL uses the same key by default (note: I wrote this bash client, so I’m biased :wink: )


#6

For Certbot this is an existing issue tracked at

And indeed, it’s not done yet, so if you need this right away it might be useful to switch to another client like GetSSL.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.