ACME use one key pair in "account key pair" to create multiple CSR domain to CA Let's Encrypt?

Hello everyone, I’m wondering an issue like this :

According to document :

“Once the client has authorized an account key pair for an identifier, it can use the key pair to authorize the issuance of certificates for the identifier. To do this, the client sends a PKCS#10 Certificate Signing Request (CSR) to the server (indicating the identifier(s) to be included in the issued certificate) and a signature over the CSR by the private key of the account key pair.”

So If I understand right, it will be :

  1. First of all, ACME client, Let’s Encrypt client, will create a key pair (public & private key) and register them to CA Let’s Encrypt like opening an account for your server.
  2. If CA check and pass the process. Your ACME Client’s key pair will be authorized.
  3. Then if you want to get an certificate DV for domain “” , you will go into the process call name “Domain Control Validation DNS or HTTP”. It’s good and passed.
    4. ACME client will create a CSR for domain “” include (the issue i wanna ask here) : public key of “account key pair” and info CN about your domain “” and Digital Signature created by private key in “account key pair”. Ok, I understand this, but if…
  • I register second domain like “” on the same server. In the step 4, i will use the same key pair in “account key pair” like above to create the CSR , means : public key in “account key pair” + info CN “” + private key in “account key pair”. Is it true?

So the question here : ACME create an account key pair (authorized public + private key) and use them for creating all CSR for all domains we want ?

Thank you for reading and I’m hoping to get a answer. Have a nice day !

No, the account key is only used for user authentication and signing request data. Random keys are generated for certificates.

1 Like

so in short.

you have account keys
and cert keys.

then you create a CSR using the cert key (as it is normal)
and THEN you sign the whole CSR with the account key to tell them that YOU sent the CSR.

1 Like

Ok, thank you both of you. Now i got it. :slightly_smiling:

as far as I read somewhere it’s not even allowed to use the acc key as https key.

Was there a normative statement in the ACME IETF draft that explicitly says the account key MUST be different than the CSR’s key pair?