Question about PK security on a router

I have a question about Let's Encrypt's policy regarding issuing certificates for use in a private LAN.

Specifically, I want to be able to allow the clients on a LAN I control to be able to access the web admin interface of the router via HTTPS.

I intend to have a certificate issued for and then, since the router acts as the DNS proxy on the network, simply redirect to

Now, technically this should work fine, and I do not believe that in itself this violates any of LE's policies but I'm aware that they are required to revoke any certificate they consider to be compromised. So my question really is: what specifically would LE consider and not consider "compromised"?

To make this work, the private key used to issue the certificate must be located on the router to be able to sign the HTTPS sessions. It is therefore not accessible by any other client on the LAN, and can also quite easily be protected from any other non-root user who might be able to access the router via SSH for example. I expect LE to consider this as an acceptable situation, since it's essentially how any normal web server that LE has issued millions of certificates to operates.

The question however is, would LE still consider the PK secure in a situation where the router is physically accessible, but the PK is for example located on an encrypted partition?

I'm not a lawyer or something, but as long as the private key is safe from other users and it's physically also not possible to retrieve the private key (e.g., stick a console cable into the router without a login), I'd say the only thing you'd need to worry about is if either your router is hacked or physically stolen. Although the latter might not be that relevant if it's not possible to access the router without a factory reset (which should delete the private key).

1 Like

Generally speaking:

If the people on your LAN are trusted users, allowing them access to the key would not be considered "compromised".

If you were selling this LAN device and bundled in the LE Cert, or it was a cloud service, and unrelated users were able to access the key(s), it would be considered "compromised".

There is a lot of room for different scenarios and interpretation between these two concepts - but most concerns about this fall within these two concepts.

Even if not encrypted, this is reasonably secure as the key is locked down by permissions on the filesystem.


I don't see how an LE cert would keep that "locked".
[LE certs won't include IP addresses]

You'd have to keep the name in the URL:
redirect to


I think OP just means "resolves to".

I try to take things literally and not take anything for granted.
So, let's see what the response is.


It probably is a literal redirect (see how there's a port number in the destination address)


My advice: as this is not a public service, you can just use a self signed certificate. And as you control the whole network, you can just use unencrypted http.

Remember that Let's Encrypt certificates only last 90 days.


Thanks for all the replies, it got more attention than I expected :slight_smile: To clarify:

  • yes, I worded that very badly, I did mean "resolve to". Specifically the router will create a DNS record for all the clients on the network resolving "" to "<router's IP address>", and furthermore the web admin interface will be served on port 443 rather than 8080

  • we are in fact selling this router to customers, however the customer will not have root access to the router (and therefore no runtime access to the PK)

  • the disk will be encrypted, but obviously the customer will have to have the ability to decrypt this on startup

  • we will have the ability to revoke the certificate ourselves if the router is stolen or otherwise physically compromised

  • the certificate would be issued for a domain/subdomain the customer has no control over

  • we would very much prefer to avoid self-signed certificates


Will it be the same certificate for all of them?

You can encrypt whatever you want, short of putting an HSM in your device someone will find a way to extract the private key.

You're not the first one to get this idea. It ended badly already.

On the other hand, if each router has their own domain (ie you can make the router perform its own acme challenge via dns-01, just make sure you authenticate it.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.