Hi- architecture question here. When certbot rotates my certificate, is there anything special that happens to the old certificate? Is it just removed from my filesystem, or does it become rejected / part of the OCSP/CRL? Also curious, when the certificate is rotated, does certbot generate a new private key or does it use the same key with a new CSR for updating the lifetime?
Not really. Your server won't be serving it anymore, but that's about it.
No. I think newer versions of certbot will delete older ones eventually, but will keep the last several around for some time.
No, revoking is only done explicitly, and only needed if one doesn't control the domain anymore or if the private key was compromised.
By default, it generates a new key for each request. You can pass the --reuse-key parameter if you want it to use the same key each time instead for some reason.
6 Likes
Just adding to Peter's excellent reply ...
It was Certbot v2.3 that changed how many older certs are kept in .../archive
It also quit saving to /csr and /keys folders
Change log for 2.3: certbot/certbot/CHANGELOG.md at main · certbot/certbot · GitHub
6 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.