Binding our AccountKey with our domain so no one else can generate a certificate

Jyrj · June 25, 2024, 8:19am

We use LE certificates in our organization and with the domain we own we are thinking if there is a way to bind our LE Account with the domain.

Expectations on binding:
1). Only our LE Account should be able to generate certificates for our domain.
2). Even if someone is able to generate a certificate, we should be having the access to directly revoke it without going through the process of Challenge validations.
3). (Similar to first point) Basically One-to-One mapping of the Domain with LE Account.

Is there LE provision to achieve any of these? If yes, what is the process?

MikeMcQ · June 25, 2024, 8:50am

Can do this with CAA record and accounturi. See Certificate Authority Authorization (CAA) - Let's Encrypt

Osiris · June 25, 2024, 11:38am

This is not possible. Only the original account and an account with valid authorizations can revoke the cert.

orangepizza · June 25, 2024, 11:55am

well not by API but I think with right CAA record I think they can trigger 24 hour misissurance revocation by sending mail to LE security team

Osiris · June 25, 2024, 4:18pm

How do you mean?

9peppe · June 25, 2024, 4:28pm

Please note that there's no way to use CAA to block somebody from issuing a certificate for a subdomain if that somebody has DNS access to put their own CAA record on said subdomain.

system · July 25, 2024, 4:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Revoking certificates with different LE Accounts Help	5	207	July 25, 2024
Trust and domain ownership validation Issuance Policy	17	2799	February 8, 2021
Help with LE Account Key Issuance Tech	5	2830	June 21, 2017
CAA error when creating certificate Help	9	681	June 9, 2024
Block letsencrypt in my domain Help	5	2227	October 21, 2021

Binding our AccountKey with our domain so no one else can generate a certificate

Related topics