Binding our AccountKey with our domain so no one else can generate a certificate

Jyrj · June 25, 2024, 8:19am

We use LE certificates in our organization and with the domain we own we are thinking if there is a way to bind our LE Account with the domain.

Expectations on binding:
1). Only our LE Account should be able to generate certificates for our domain.
2). Even if someone is able to generate a certificate, we should be having the access to directly revoke it without going through the process of Challenge validations.
3). (Similar to first point) Basically One-to-One mapping of the Domain with LE Account.

Is there LE provision to achieve any of these? If yes, what is the process?

MikeMcQ · June 25, 2024, 8:50am

Can do this with CAA record and accounturi. See Certificate Authority Authorization (CAA) - Let's Encrypt

Osiris · June 25, 2024, 11:38am

This is not possible. Only the original account and an account with valid authorizations can revoke the cert.

orangepizza · June 25, 2024, 11:55am

well not by API but I think with right CAA record I think they can trigger 24 hour misissurance revocation by sending mail to LE security team

Osiris · June 25, 2024, 4:18pm

How do you mean?

9peppe · June 25, 2024, 4:28pm

Please note that there's no way to use CAA to block somebody from issuing a certificate for a subdomain if that somebody has DNS access to put their own CAA record on said subdomain.

Topic		Replies	Views
Revoking certificates with different LE Accounts Help	5	249	July 25, 2024
How to revoke a certificate without account key or email Help	9	6049	December 1, 2016
List of authorized accounts Issuance Tech	7	3865	November 4, 2018
Certificate issued without domain holder permission Issuance Policy	11	5151	February 14, 2019
Block letsencrypt in my domain Help	5	2466	October 21, 2021

Binding our AccountKey with our domain so no one else can generate a certificate

Related topics