ACME sharing external account binding security questions

Hi all,

I’m Martin, and new to this community.

I have some questions regarding the use of ACME and external account binding. My employer is interested in using external account binding for ACME clients (for example using certbot).
The idea is to have clusters of web servers share the same external account. This is done for two reasons.
1)This would enable them to manage different groups of servers with a set of different external accounts.
2)And they would not have to create a external account for every single server.
For example
Workgroup1 has a number of servers using ACME and refers to external account 1
Workgroup2 has a number of servers using ACME and refers to external account 2

My question is related to the security of such a solution.
In the event that somehow a server in say Workgroup1 would get compromised or hacked, could this lead to :

  • revocation by the hacker of any other SSL certificates used by other servers in Workgroup1 ? How could this be done, since the hacker does not have access to the other ceritificates in the workgroup ?
  • unregistration of the external account 1 ? The external account was bound when the first ACME client in Workgroup1 performed a --register using the KID and H_MAC identifiers. Certbot for example can issue a --unregister to unregister a account.

Thanks,
Martin

1 Like

Just to contextualize your question, are you running your own CA?

EABs are used to associate an ACME account (which you are registering with a CA), with an external, non-ACME account that you already have (with that same CA).

Let’s Encrypt doesn’t use EABs, because there’s no concept of an “external account” - you just register an ACME account, and that’s it.

Different CAs, such as Sectgo, do use EABs. You create a Sectigo account, pay for some service, and then you can register any number of ACME accounts, linking each them to your Sectigo account with the EAB.

When I consider your questions, I’m not really sure how to answer them, without understanding some background of why you are asking about EABs to begin with.

Hope that kind of makes sense.

1 Like

_az thank you for the reply.
Yes that makes good sense.
Yes EABs are used to associate ACME account to a non ACME account at a CA.
You are right, we are using Sectigo as CA. I thought that LetsEncrypt might also make use of EABs.
Hope this helps for the background.

1 Like

I can’t address the EAB stuff, but in terms of revocations, I believe the following is still true:

  • A SignedCertificate can be revoked by-

    1. It’s Private Key
    2. The AccountKey
    3. Creating a NewAccount, asserting ownership of the domains in the certificate via DNS challenge to the NewAccount, revoking the SignedCertificate
  • An AccountKey can be unregistered by:

    1. The AccountKey
1 Like

Just one thing to add:

The External Account Itself can’t be unregistered (or affected at all, really) through ACME.

If, in Workgroup2, you register 3 ACME accounts using your EAB credentials. All that does is register those ACME accounts against your Sectigo account.

You can unregister those ACME accounts again, but doing so has no effect on the External Account itself.

Let’s Encrypt doesn’t use EAB in any way.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.