There is a /etc/letsencrypt/keys directory that contains a COPY of every private key from the /etc/letsencrypt/archive/
Why is it there in the very first place?
hi @zerkms
You should review how TLS works and the role that the private keys play in encryption.
Private keys and their functioning are a concept you should be aware of.
Andrei
I understand how TLS works. My question is: why there is a COPY of the key in both keys directory and archive/domain/privkey1.pem
The same key is stored in 2 places.
The question is: why to store it in the keys directory?
# md5sum keys/0000_key-certbot.pem
9b9e196ca40d39d62d0ee9f5d81f5d34 keys/0000_key-certbot.pem
# md5sum archive/xxx/privkey1.pem
9b9e196ca40d39d62d0ee9f5d81f5d34 archive/xxx/privkey1.pem
apologies i misunderstood your question. I have confirmed what you are observing and will leave it to one of the other guys to answer as I am not sure what the rationale is 
Andrei
Hi @zerkms,
As far as I know, the directories /etc/letsencrypt/keys/ and /etc/letsencrypt/csr/ are there just for backup purposes, anyway, @schoen and/or @bmw could have a better answer.
Also, there is an open issue to deprecate these directories https://github.com/certbot/certbot/issues/4634
Cheers,
sahsanu
1 Like
Yes, they are for backup purposes and I believe that we would nowadays be better off without them, as they’re extremely rarely used by users but often cause confusion.
We did originally think that it was helpful to have a backup copy of the relatively irreplaceable items in the certificate request (you can get the cert itself out of CT if necessary). But nowadays what we find that what people overwhelmingly do if they accidentally delete these items is just get a new certificate.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.