fix private key format (#10134)

fixes https://github.com/certbot/certbot/issues/10131 this seems simple enough, but i also requested alex's review as a quick sanity check if he doesn't mind providing one i've verified this fixes the problem and that PKCS#8 was used in certbot 3.0.1
2026-06-09 00:32:12 -04:00 · 2025-01-16 11:04:55 -08:00 · 2025-01-16 11:04:55 -08:00 · b411cddc8a
commit b411cddc8a
parent 40f0b91512
3 changed files with 13 additions and 2 deletions
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@ -16,6 +16,8 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).

 ### Fixed

+* Private keys are now saved in PKCS#8 format instead of PKCS#1. Using PKCS#1
+  was a regression introduced in Certbot 3.1.0.
 * Allow nginx plugin to parse non-breaking spaces in nginx configuration files.
 * Honor --reuse-key when --allow-subset-of-names is set
 * Fixed regression in symlink parsing on Windows that was introduced in Certbot
--- a/certbot/certbot/_internal/tests/crypto_util_test.py
+++ b/certbot/certbot/_internal/tests/crypto_util_test.py
@ -207,6 +207,14 @@ class MakeKeyTest(unittest.TestCase):
                           match=re.escape('Invalid key_type specified: unf.  Use [rsa|ecdsa]')):
            make_key(2048, key_type='unf')

+    def test_for_pkcs8_format(self):
+        from certbot.crypto_util import make_key
+
+        # PKCS#1 format will instead have text like "BEGIN RSA PRIVATE KEY" or "BEGIN EC PRIVATE
+        # KEY"
+        assert b"BEGIN PRIVATE KEY" in make_key(2048)
+        assert b"BEGIN PRIVATE KEY" in make_key(elliptic_curve='secp256r1', key_type='ecdsa')
+

 class VerifyCertSetup(unittest.TestCase):
    """Refactoring for verification tests."""
--- a/certbot/certbot/crypto_util.py
+++ b/certbot/certbot/crypto_util.py
@ -216,7 +216,8 @@ def make_key(bits: int = 2048, key_type: str = "rsa",

    :returns: new RSA or ECDSA key in PEM form with specified number of bits
              or of type ec_curve when key_type ecdsa is used.
-    :rtype: str
+    :rtype: bytes
+
    """
    key: Union[rsa.RSAPrivateKey, ec.EllipticCurvePrivateKey]
    if key_type == 'rsa':
@ -247,7 +248,7 @@ def make_key(bits: int = 2048, key_type: str = "rsa",
        raise errors.Error("Invalid key_type specified: {}.  Use [rsa|ecdsa]".format(key_type))
    return key.private_bytes(
        encoding=Encoding.PEM,
-        format=PrivateFormat.TraditionalOpenSSL,
+        format=PrivateFormat.PKCS8,
        encryption_algorithm=NoEncryption()
    )