Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What does reducing validity actually solve? The same private key is presumably used by all certificates and CSRs - if the private key is compromised then a renewed cert doesn’t solve anything.

Am I missing something here?



> The same private key is presumably used by all certificates and CSRs

That's a choice. Certbot changes the private key with every renewal by default. I suppose in principle CAB might start disallowing key reuse.


You're supposed to use a new private key for the new CSR. There is no reason to reuse the previous key.


And what’s the value in that? If a system is breached then the keys should end up revoked by ocsp?


The only thing I can think of is domain expiry. Someone could get a certificate, sell their domain, then continue using the cert until the certificate expires.


My tinfoil hat says it's about control. Forcing people to return for another blessing from the central authority, more often. The same reason church is once a week, and not once a year.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: