the more I read about this Trustico incident, the more absurd it gets
what the actual fuck
its called a *private* key for a reason
don't let the certificate authority generate it for you and/or give it to the certificate authority
the only thing you are supposed to give to the certificate authority is the certificate signature request (CSR) and they give you the certificate after the validation process
@staticsafe I assume when I use a provider that works through Let's Encrypt, the provider is holding on to the keys rather than Let's Encrypt. Still depends on trusting someone else, but it's not the CA.
@Riley correct, in that case, the provider uses a tool that interfaces with Let's Encrypt's ACME API, the tool generates the CSR and the private key, submits the CSR to Let's Encrypt, Let's Encrypt does the validation process and if it passes, gives the cert back
@staticsafe Good knowledge.