Support for CSRs so private keys are not stored on the certwarden CVS? #61
Labels
enhancement
New feature or request
Comments
clas0415
changed the title
|
This is an interesting idea. I'd need to ponder if I can make this work without too much extra development. That said, from a security standpoint, the account keys would still live in cert warden so there would still be a pretty significant compromise of your domains if the keys were stolen. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Would CSRs be a possibility?
AFAIK this is possible with some other ACME clients/methods: https://community.letsencrypt.org/t/is-there-a-way-i-can-just-provide-a-csr-and-get-a-cert-manually/85422
My reasoning is that, by storing all the private keys for servers, then the certwarden server becomes quite a target.
But if the servers generate keys locally and pass only the CSR to certwarden, then it could reduce the single point of risk.
The text was updated successfully, but these errors were encountered: