Comment by knorker

2 years ago

Pinnig is based on the keypair, not the cert. You can renew and not break pinning, right?

Also you can phase in a new cert with pinning.

3 comments

knorker

Yes, you can pin the public key instead, which is generally more helpful. But most ACME clients (including the "official" certbot) default to rotating the key too. That can be disabled, but it's a problematic default for this use case which means clients can't just enable pinning.

rhn_mk1 2 years ago
How can it be disabled in certbot?
- natebc 2 years ago
  
  --reuse-key When renewing, use the same private key as the existing certificate. (default: False)
  From the docs: https://eff-certbot.readthedocs.io/en/latest/using.html#cert...