I’m Martin, and new to this community.
I have some questions regarding the use of ACME and external account binding. My employer is interested in using external account binding for ACME clients (for example using certbot).
The idea is to have clusters of web servers share the same external account. This is done for two reasons.
1)This would enable them to manage different groups of servers with a set of different external accounts.
2)And they would not have to create a external account for every single server.
Workgroup1 has a number of servers using ACME and refers to external account 1
Workgroup2 has a number of servers using ACME and refers to external account 2
My question is related to the security of such a solution.
In the event that somehow a server in say Workgroup1 would get compromised or hacked, could this lead to :
- revocation by the hacker of any other SSL certificates used by other servers in Workgroup1 ? How could this be done, since the hacker does not have access to the other ceritificates in the workgroup ?
- unregistration of the external account 1 ? The external account was bound when the first ACME client in Workgroup1 performed a --register using the KID and H_MAC identifiers. Certbot for example can issue a --unregister to unregister a account.