Why is there /etc/letsencrypt/keys directory?

There is a /etc/letsencrypt/keys directory that contains a COPY of every private key from the /etc/letsencrypt/archive/

Why is it there in the very first place?

hi @zerkms

You should review how TLS works and the role that the private keys play in encryption.

Private keys and their functioning are a concept you should be aware of.


I understand how TLS works. My question is: why there is a COPY of the key in both keys directory and archive/domain/privkey1.pem

The same key is stored in 2 places.

The question is: why to store it in the keys directory?

# md5sum keys/0000_key-certbot.pem 
9b9e196ca40d39d62d0ee9f5d81f5d34  keys/0000_key-certbot.pem
# md5sum archive/xxx/privkey1.pem 
9b9e196ca40d39d62d0ee9f5d81f5d34  archive/xxx/privkey1.pem

apologies i misunderstood your question. I have confirmed what you are observing and will leave it to one of the other guys to answer as I am not sure what the rationale is :smiley:


Hi @zerkms,

As far as I know, the directories /etc/letsencrypt/keys/ and /etc/letsencrypt/csr/ are there just for backup purposes, anyway, @schoen and/or @bmw could have a better answer.

Also, there is an open issue to deprecate these directories https://github.com/certbot/certbot/issues/4634


1 Like

Yes, they are for backup purposes and I believe that we would nowadays be better off without them, as they’re extremely rarely used by users but often cause confusion.

We did originally think that it was helpful to have a backup copy of the relatively irreplaceable items in the certificate request (you can get the cert itself out of CT if necessary). But nowadays what we find that what people overwhelmingly do if they accidentally delete these items is just get a new certificate.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.