I think I stumbled upon an issue with certificate revocation and compromised keys.
Assume the following: I happen to find a compromised key somewhere (e.g. one accidentally published on pastebin or github) and I want to make sure the corresponding cert is revoked.
The docs  indicate that in this situation I can search crt.sh for the cert. However not all certs are logged. While most certs end up in the CT logs sooner or later, sometimes only the precertificates are in the CT log. See e.g. this precert , the corresponding final cert is not in the log
However the revocation with certbot doesn’t work with the precert only.
So I could have a situation where I can’t revoke a cert with certbot, because I don’t have access to the real cert, but I know it exists, because I know the precert.
There have been previous discussions about not only logging precerts, but also logging final certs, but it seems right now mandatory logging of final certs is not happening.
I see several possible solutions:
- Make sure all final certs get logged.
- Allow certificate revocation based on precerts. This would probably involve a change of the ACME standard.
- Allow retrieving certificates from the API based on the private key or the serial (I thought I had seen something like this in the past, but I can’t find anything right now, maybe I’m just missing the right docs).