plesk
HPKP: fixed private keys possible?
As far as I can see, it's not possible with your implementation to have the same private key after a cert renewal. Because of this, I cannot use HPKP (key pinning) because of the changing private keys. Can you please make the private keys static, permanent? Or is that already implemented and if yes, how do I do it? Thanks!
Hi Hans, I'm not sure about the private key, but you can still use HPKP...pinning the intermediate and root ca. Regards
Lloyd
Edit: Let's Encrypt Authority X1 Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
DST Root CA X3 Self-signed
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
Ah! Of course @Lloyd1978, I forgot about that possibility. It's less secure but better than nothing. Thanks!
No problem, I nearly forgot...you will need to add a "Backup Pin" I usually just use my last certificates root eg a GeoTrust, Comodo etc. It doesn't really matter.
Here's one from GeoTrust... pin-sha256: q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8=
Then you'll pass at https://www.ssllabs.com/ssltest/index.html Regards
Lloyd
Hi, Static private key would be great to allow using a same domain and certificate with both a Plesk-managed http(s) server; and non-http servers.
Currently the lack of flexibility w.r.t. private key makes it impossible to share a private key between servers, I describe as example my use case below.
I have a XMPP server, and a mail server which are hosted separately from HTTPS, and are not managed through Plesk. Because letsencrypt-plesk always replace private keys on renewal, I'm unable to have HTTPS, XMPP and MAIL on the same domain using the same private key, and I'm forced to use separate (sub)domains to workaround this.
Update: using separate subdomains is not a good workaround, thus I stopped using letsencrypt and bought a classic 2-year cert that I can share between servers, and only need to sync once every 2 years.
