Hacker News new | ask | show | jobs
by advisedwang 2316 days ago
During normal certificate issuance, they do not generate or see the private key, so they can't compromise the certs they sign for you.

Like any other CA, they do have the technical ability to sign arbitrary other certs, so could issue a cert for MITM. As some other comments show, certificate transparency is starting to reduce this risk.
1 comments
jeffrallen 2316 days ago
LE does not see the private key but certbot does. Who audits certbot?
link
nwallin 2316 days ago
Anyone. It's open source. You can if you'd like.

https://github.com/certbot/certbot

link