You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since 21.09.2022 all Let's Encrypt requests for revocation which are authenticated using the private key of the certificate itself will result in the certificate being revoked with reason "keyCompromise". This also results in a "Let's Encrypt certificate revocation notice" being sent to the account holder.
Currently acme.sh uses domain key revocation first and will fallback to account key revocation, if the request is not successfull. Let's Encyrpt will accept the the domain key revocation, but will always flag the revocation as compromised. This is not an expected behaviour, when revoking the certificate with --revoke-reason other than 1.
All requests for revocation which are authenticated using the private key of the certificate itself will result in the certificate being revoked with reason "keyCompromise", regardless of the requested reason.
This is because use of the certificate private key for the purpose of authenticating an ACME API revocation request counts as a "demonstration of compromise", and the new requirements state that the CA MUST use reason "keyCompromise" when they "obtain verifiable evidence that the certificate subscriber’s private key... suffered a key compromise".
Proposed change:
Use account key revocation first and fallback to domain key revocation if this fails (maybe only for Let's Encrypt?)
The text was updated successfully, but these errors were encountered:
Steps to reproduce
acme.sh --issue --server letsencrypt -d debug.example.com
acme.sh --revoke -d debug.example.com
Since 21.09.2022 all Let's Encrypt requests for revocation which are authenticated using the private key of the certificate itself will result in the certificate being revoked with reason "keyCompromise". This also results in a "Let's Encrypt certificate revocation notice" being sent to the account holder.
Currently acme.sh uses domain key revocation first and will fallback to account key revocation, if the request is not successfull. Let's Encyrpt will accept the the domain key revocation, but will always flag the revocation as compromised. This is not an expected behaviour, when revoking the certificate with --revoke-reason other than 1.
Reference: https://community.letsencrypt.org/t/upcoming-changes-to-revocation-reasons/182953
Proposed change:
Use account key revocation first and fallback to domain key revocation if this fails (maybe only for Let's Encrypt?)
The text was updated successfully, but these errors were encountered: