I am currently using certificates from StartCom for my hosted virtual server. Since StartCom's OCSP servers are quite unstable at times, I was considering moving to Let's Encrypt. Their service is also less troublesome to use.
As far as I found out, the Let's Encrypt certbot creates new key pairs when I request a new certificate, at least for the first time of using it.
Since my server is running with the HPKP header, I can't just replace the key pair, since I configured it to pin the public key.
Now my question is, can I tell the Let's Encrypt certbot to use a given key for the new certificates? Or is there another solution for switching to Let's Encrypt with HPKP?
Update: I just found a post on the Let's Encrypt community forum which says that it's is currently not supported by the Let's Encrypt client as of November 2015. https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625 The only option right now is to pin the intermediate public key, with a backup key for using with a different CA.
If someone knows some more recent news or has a different idea, I am happy to hear.
After reading some more, I found out that the great "Scrott Helme" already has a tutorial on exactly my problem.
Basically, using a different ACME client called
acme-tinyyou can request a certificate with your own key and signing request.Here is the link to the tutorial: https://scotthelme.co.uk/setting-up-le/