TL;DR
Yes, an attacker can reuse a stolen SSL private key to create a fake version of your website on their server. This allows them to intercept sensitive data from visitors who don’t notice the difference. Protecting your private keys is crucial.
How Attackers Reuse Stolen Keys
SSL/TLS certificates rely on a pair of cryptographic keys: a public key and a private key. The public key is distributed widely (it’s part of the certificate), while the private key must be kept secret. If an attacker gets hold of your private key, they can:
- Decrypt past traffic: If your server logs encrypted traffic, the attacker could decrypt it.
- Impersonate your website: This is the most dangerous part. They can use the stolen private key to create a valid certificate for your domain on their own server.
Steps to Prevent Domain Recreation
- Secure Your Private Keys:
- Strong Access Controls: Limit access to files containing private keys (e.g.,
.keyfiles) on your server. Use appropriate file permissions (typically 600 or 400). - Encryption at Rest: Encrypt the storage where your private keys are kept. This adds an extra layer of protection if someone gains access to your server’s filesystem.
- Hardware Security Modules (HSMs): For high-security environments, store private keys in HSMs. These dedicated devices provide a secure environment for key generation and management.
- Strong Access Controls: Limit access to files containing private keys (e.g.,
- Monitor Certificate Transparency Logs:
Certificate Transparency (CT) logs publicly record all issued SSL certificates. Regularly check these logs to see if any unauthorized certificates have been issued for your domain.
- Tools like crt.sh allow you to search CT logs by domain name.
- Automate this process using scripts or monitoring services.
- Implement OCSP Stapling:
Online Certificate Status Protocol (OCSP) stapling allows your server to provide the revocation status of its certificate directly to clients, reducing reliance on third-party OCSP responders.
- Configure your web server to enable OCSP stapling. The exact configuration varies depending on your server software (e.g., Apache, Nginx).
- Use Short Certificate Validity Periods:
Shorter validity periods mean a stolen key is useful for less time.
- Consider using 90-day certificates. Let’s Encrypt, for example, offers free short-lived certificates.
- Regularly Rotate Certificates:
Even with short validity periods, proactively rotate your certificates on a schedule.
- Automate certificate renewal using tools like Certbot (for Let’s Encrypt).
- HTTP Strict Transport Security (HSTS):
HSTS forces browsers to connect to your website only over HTTPS, preventing man-in-the-middle attacks that could exploit a compromised certificate.
- Configure HSTS in your web server settings. For example, in Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
- Configure HSTS in your web server settings. For example, in Nginx:
- Key Compromise Response Plan:
- If you suspect a private key has been compromised:
- Revoke the Certificate Immediately: Contact your certificate authority (CA) to revoke the compromised certificate.
- Generate a New Key Pair and CSR: Create a new private key and Certificate Signing Request (CSR).
- Install the New Certificate: Obtain and install a new certificate signed by your CA.
- Update Your Systems: Ensure all systems using the certificate are updated with the new one.
- If you suspect a private key has been compromised: