0

I'm looking for a description how to property secure, backup, restore etc Letsencrypt certificates, and how to recover if a server containing such certificates was hacked. Does such a description exist?

Here are some of the questions I'm puzzled about:

It appears that letsencrypt has the notion of an "account" with private keys, but appears there is no problem if some other account wishes to obtain a cert for an already-existing hostname. (Then there are two different keys/certs in the wild for the same hostname at the same time.) Just what is that account for?

Then, just who exactly can revoke a certificate, and what information is needed to do so? (I have not tried to do this.) If the account private key is needed, this would mean I can't revoke a cert if my server was taken over and I have not created an off-site backup of my account credentials (does anybody ever backup Letsencrypt data?) If it isn't needed, anybody can revoke anything, which hopefully is not true. Or is the revocation security also driven by DNS resolution verification?

Improve this question

1 Answer 1

Reset to default
1

The account is associated with the email address you specify when you create the account. This email address gets notifications when certificates are about to expire.

You can keep the private key on the server using the certificates, or on another machine that doesn't allow incoming connections.

There is nothing wrong with having different certificates for the same hostname.

Let’s Encrypt Certificate revocation is possible

  • From the account that issued the certificate
  • Using the certificate private key
  • Using a different authorized account

I found that page just by typing "letsencrypt revoke certificate" into Google. It explains the requirements for revocation in detail.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .