Feature: externally provided account key #149
Comments
|
Testing mod_md for the first time today, after many years with acme-tiny, I got stuck on the question what do with my account key. What became of this feature after such a long time? Is it possible that I'm overestimating the value of my one old precious account key and should rather play along with the account keys created on the fly by the module? |
|
The module is designed to work out of the box, without prior signup. Therefore it just registers an account and does its job. The account key is stored in the file system with root permisions, so you can get it. It would be possible to "manually" exchange that key with your own, if you already have one. I never did that, not really caring. The one use case is certificate revocation which would require this key. mod_md does not support this by itself. Some ACME providers have a feature called "External Account Binding" (EAB), which is supported by the module. Those providers are often more commercial and allow its users to create an EAB token to be used in installations. The account key created by a client using that EAB is then associated with your account. |
|
If revocation is the most likely use case, I can safely roll with the dynamic key instead of centrally maintaining one. Thanks for the feedback and your work on the module. |
Allow the user to configure a file as primary source for an ACME account key. As in
which can be set globally or per MD.
On startup, read the key and
As of now, the user does not have control over the ACME account creation. The same account is used for all MDs on the same CA. By configuring account keys for (sets of) MDs, theses can be tailored to match domain ownership.
By providing the key via a file, the admin takes control (and ownership) of the key management, for one. But it also means she has the key to make changes to her CA account herself.
The text was updated successfully, but these errors were encountered: