Will privkey.pem also be renewed?


will the privkey.pem also be renewed when cert is going to be renewed? Or keeps certbot the privkey.pem all the times?

What could happen, if some hacker has the privkey.pem and the fullchain.pem of a server?

Kind regards


By default in Certbot, yes, privkey.pem is changed at every renewal. This is the “paranoid” default. This behavior can be altered by using the --reuse-key parameter.

fullchain.pem is not a private file. In fact, your server sends it to every single browser that connects to your server.

privkey.pem should be kept private. If your server is hacked and somebody steals that file, it gives them one of the two necessary tools they need in order to impersonate your website or decrypt traffic between your website and its visitors.

The second tool they need is the ability to intercept traffic between your server and its visitors, which is usually quite difficult - they either need to hack your network provider or be physically on the same e.g. Wi-Fi network as you.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.