ruby-acme-cli icon indicating copy to clipboard operation
ruby-acme-cli copied to clipboard
verified publisher icon zealot128

Rekey on renew

Open kubicek opened this issue 10 years ago • 1 comments

Regenerating key when renewing certificate should be mandatory.

There are good reasons to change encryption keys regularly. It protects against long-term key leaks and it hardens decrypting captured traffic in the future.

The fastest way was to delete the key in the renewal process, but i admit it is not very polite to delete the old key before having new certificate issued.

kubicek avatar Jan 08 '16 03:01 kubicek

I would only use this as an optional argument (--rekey?) as it breaks backwards compatibility and other people's potential running setup. As you mentioned, deleting the key before having a new one, doesn't sound very great; maybe add a new private key as a Tempfile first and move it to the location on success?

zealot128 avatar Jan 16 '16 20:01 zealot128