please let me reuse a key during cert renewal

[dkg]

I have a cert that needs to keep the same public key over a couple years at least.

I like the short cert lifetimes, i just want to renew with the same public key.

But certbot automatically generates a new key at each renewal event. Please give "certbot renew" the option of re-using the existing key.

[pde]

There is already a flag --key-path, that should probably have these semantics.

[pde]

The CLI entry for key-path is currently way too complicated;

    section = "paths"
    if verb in ("install", "revoke"):
        section = verb
    # revoke --key-path reads a file, install --key-path takes a string
    add(section, "--key-path", required=(verb == "install"),
        type=((verb == "revoke" and read_file) or os.path.abspath),
        help="Path to private key for cert installation "
             "or revocation (if account key is missing)")

The section logic is obsolete since #3254 landed; we can just make the section be ["paths", "install", "revoke"]. Then the place to implement the actual key reuse logic would probably be to take an alternative path here if self.config.key_path is set.

[pde]

@dkg send us a pull request!

[thomaszbz]

There's also a technical use case for this (be it --key-path or --reuse-key like suggested by @schoen in the PR): DNSSEC/DANE, thereby not TLSA-pinning the CA but the public key itself (which is why the private key should not change every 3 months because that triggers the need to update DNS in time whereas in time means that DNS must provide TLSA-entries for both, old and new private key, until the caching period of DNS is over, which allows to drop TLSA-entries for the old private key and purely rely on the new private key for connections). As long as the private key remains the same, all the DNS overhead becomes obsolete (at least for 1-3 years until private key material should be replaced, just to be sure).

I think --reuse-key would be much easier to use, whereas use cases for --key-path exist as well. Why not both?

[ArchangeGabriel]

I agree with @thomaszbz.

[noqu]

Unless I am much mistaken, users of HPKP (HTTP Public Key Pinning) would also greatly benefit from --reuse-key.

With HPKP, in order to migrate from one public key to another, it is necessary to adapt the server's secondary pin-sha256 header well in advance of the actual migration, so that clients will accept the (future) new key as genuine.

This is definitely not something you would want to do every three months.