Per the draft 9 spec, “The server MUST consider at least the following accounts authorized for a given certificate: the account that issued the certificate.”
However, using the acmev2 staging server, if I revoke using that account, I get a 403 with the detail of “JWK embedded in revocation request must be the same public key as the cert to be revoked”.
Looks like you might need to use the
kid method if the signer is the ACME Account Key, whereas JWK is used when the signer is the Certificate Private Key.
Ok, I see. I wonder if the “jwk” bullet point in section 6.2 should be clarified. Thanks for the clarification.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.