We manage multiple accounts and periodically rotate key sets for each account while they are still valid. For example, Account A’s key set is rotated even though it remains valid. My question is: will the renewal information for a signed certificate—originally issued with Account A’s old key set—be accessible using the new key set?
Yes, because the ARI cert ID used in the query is based entirely on data contained in the signed cert. See also here:
This also means that anyone can generate and query the ARI info for any public cert.
9 Likes
I think the question might be about specifying the replaced certificate when making the renewal order. In that case, it would be accepted only if from the same ACME account. If actually rotating the key for the account (with the ACME keyChange endpoint) then it would still be the same account and one could specify the replacement. If it's actually a different ACME account URI (as many clients don't really have support for keyChange), then one couldn't specify the "replaces" field, though one could still get a certificate with the same names as another account anyway.
Hope that helps.
7 Likes
Thank you, It has nothing to do with the signed certificate of the account. It helps.
2 Likes
Thank you very much; that clarifies the question further.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.