Same private key for may domains?

Hello,

We are hosting and managing ssl for several thousands domain. Currently all domains has their own private key. As we are doing ssl offloading in openresty using lua and redis, the private keys are starting to take up quite a bit of space in memory - So would it be possible to use a single private key for all domains?

Thanks

David

That is currently not possible. Each Certificate has its own unique Private Key. If you need space, then you’re better off consolidating multiple domains into a single Cert. Each LE Certificate can handle up to 100 domains. Then you can use the same Certificate & Private Key for those domains.

1 Like

Thank you for the swift reply!

Hi @dhojelsen

that may be possible if your client supports that.

Sample: .NET:

Creating a key pair -> creating a CSR

So it’s possible to use the same key pair with different domain names and CSR.

But I don’t know if there are clients with such a support.

1 Like

The client I am developing and maintaining has the support for multiple certificate requests with the same key: https://github.com/bruncsak/ght-acme.sh . It does not even have to see even the key itself, so it has supplementary data safety as well.

2 Likes

I mean, technically, you can use the same key for all your Certs if you generate the CSRs off a Private Key of your choice. But you’d have to manually generate your own CSRs and pass them through Certbot. I’\d have to take some time to dig further, but If Certbot does allow you to use your own CSRs generated from openssl or allows you to generate CSRs off an existing PK, then it’s a plausible workaround.

It is definitely possible at a technical level to use one private key for many different certificates. Certbot supports this if you manually generate CSRs and pass them in with the --csr flag.

In general, though, we think it’s best to rotate private keys every time you generate a new certificate, and this strategy makes that harder, though I understand the bind you are in memory-wise.

One thing I would recommend: Before you spend time re-engineering around this, verify that using the same private key across certificates actually saves memory in openresty. It’s possible that it will keep a copy of the private key in memory for every certificate. This seems likely unless the authors have specifically optimized around this use case.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.