On September 2, 2018 1:12:58 AM GMT+07:00, Rainer Duffner rainer@ultra-secure.de :
I’m pretty sure LE creates a new private key, too. From a cursory glance at lego’s certificate directory on a server with a couple of dozens of LE certificates at least.
After all, changing the private key is what this is all about (showing that you’re still in charge).
It doesn't hurt when the process is automated anyway but it's by no means necessary. The limited validity period limits how long an attacker can abuse the cert they should get hold of it. However if you have no reason to suspect a compromise, it's by no means necessary. It doesn't improve security (if you've been hacked in a way you don't notice, it's highly likely the new key would leave your system the same way the previous one did) and it's just one more thing that can go wrong of you so it manually.
Cheers, Matthias