| ▲ | tw04 2 days ago | |||||||
They have a relationship with your cert provider and get a copy of your cert or the root so they can decrypt the traffic. | ||||||||
| ▲ | mcny 2 days ago | parent | next [-] | |||||||
I thought the whole point of the acme client was that the private key never leaves my server to go to let's encrypt servers. Now yes, if I am using cloudflare tunnel, I understand the tls terminates at cloudflare and they can share with anyone but still it has to be a targeted operation, right? It isn't like cloudflare would simply share all the keys to the kingdom? | ||||||||
| ||||||||
| ▲ | kachapopopow 2 days ago | parent | prev | next [-] | |||||||
no, the private keys are yours - the root CA just 'signs' your key in a wrapper that is was "issued" by ex: letsencrypt, and letsencrypt just has one job: validate that you own the domain via acme validation. | ||||||||
| ▲ | scq 2 days ago | parent | prev [-] | |||||||
That is not how PKI works. Your cert provider does not have a copy of your private key to give out in the first place. Having the private key of the root cert does not allow you to decrypt traffic either. | ||||||||