Hello everyone, I’m wondering an issue like this :
According to document : https://letsencrypt.github.io/acme-spec/#rfc.section.6.5
“Once the client has authorized an account key pair for an identifier, it can use the key pair to authorize the issuance of certificates for the identifier. To do this, the client sends a PKCS#10 Certificate Signing Request (CSR) to the server (indicating the identifier(s) to be included in the issued certificate) and a signature over the CSR by the private key of the account key pair.”
So If I understand right, it will be :
- First of all, ACME client, Let’s Encrypt client, will create a key pair (public & private key) and register them to CA Let’s Encrypt like opening an account for your server.
- If CA check and pass the process. Your ACME Client’s key pair will be authorized.
- Then if you want to get an certificate DV for domain “example.com” , you will go into the process call name “Domain Control Validation DNS or HTTP”. It’s good and passed.
4. ACME client will create a CSR for domain “example.com” include (the issue i wanna ask here) : public key of “account key pair” and info CN about your domain “example.com” and Digital Signature created by private key in “account key pair”. Ok, I understand this, but if…
- I register second domain like “example23.com” on the same server. In the step 4, i will use the same key pair in “account key pair” like above to create the CSR , means : public key in “account key pair” + info CN “example23.com” + private key in “account key pair”. Is it true?
So the question here : ACME create an account key pair (authorized public + private key) and use them for creating all CSR for all domains we want ?
Thank you for reading and I’m hoping to get a answer. Have a nice day !
