I hope that I choose the correct category.
I’m working with let’s encrypt and certbot for my master thesis and there’s something in the acme draft that is not completely clear to me.
I have analyzed the acme process and the log written by certbot when interacting with let’s encrypt.
I read that when you create a new account, a key pair is linked to that account.
But which kind of key pair are?
They are not the keys linked to the certificate for sure. Those keys will be generated only when a new-order has to be submitted.
I also read about account key rollover and inside the draft there’s an example of the jws that certbot should create to achive the goal. But I am not able to find the right cmd to be run and It looks like this feature is not available? Is it correct?
Yep. There is a completely separate keypair for the ACME account. With Certbot, you can find it in inside /etc/letsencrypt/accounts. The JWK representation of the key is in private_key.json.
Yes. Very few ACME clients implement account key rollover because it's not a commonly needed function. If required, most people just deactivate their accounts and move on, since making a new Let's Encrypt account is very easy.
However, users of other CAs (such as commercial ones) that implement ACME, might find the key rollover more useful, depending on how account registration works.
No longer a draft! RFC8555 has been standardized for some time now.