Comment by tw04
4 days ago
They have a relationship with your cert provider and get a copy of your cert or the root so they can decrypt the traffic.
4 days ago
They have a relationship with your cert provider and get a copy of your cert or the root so they can decrypt the traffic.
I thought the whole point of the acme client was that the private key never leaves my server to go to let's encrypt servers. Now yes, if I am using cloudflare tunnel, I understand the tls terminates at cloudflare and they can share with anyone but still it has to be a targeted operation, right? It isn't like cloudflare would simply share all the keys to the kingdom?
Yes. They could issue their own certificates, but we have CT to mitigate that, too.
no, the private keys are yours - the root CA just 'signs' your key in a wrapper that is was "issued" by ex: letsencrypt, and letsencrypt just has one job: validate that you own the domain via acme validation.
That is not how PKI works. Your cert provider does not have a copy of your private key to give out in the first place.
Having the private key of the root cert does not allow you to decrypt traffic either.