Well, sorta kinda maybe. There are two ways to revoke a certificate using the ACME API:
- Use the certificate private key to sign the request
- Use the ACME account private key to sign the request
So, if you were worried about your certificate private key being compromised in such a way that you no longer have access to it, then you could securely backup your account private key somewhere different and safe (kind of like you would a PGP revocation certificate), and then use it to do the revocation if needed.
But, there are definitely some caveats:
- Unlike with PGP, if your certificate key is destroyed (that is, you no longer possess it but you're fairly certain that nobody else does either) then there's really no need to revoke because it's not like the public key is floating out there where someone else might try to send you a message using it. So, in that case, you could just make a new certificate and not really worry about the old one and just let it expire. I don't think you need quite the same precautions that you might with PGP, since the case of your private key being copied by somebody else but you no longer having it yourself seems pretty rare. But then again, it's something that could happen, so I suppose it's worth thinking about.
- The account key has more authority than just being able to revoke certificate keys. In particular, it can issue new certificates for any domain names that the account has validated within the previous 30 days, it can change the account contact email, and it can change the account key to a new key. The ACME specification actually says, "Compromise of the private key of an account key pair has more serious consequences than compromise of a private key corresponding to a certificate." While I think that statement may be a bit overblown (and I know some people would argue that it's outright wrong), it is certainly true that the account key does more than just allow you to revoke certificates, so it's really not the equivalent to a PGP revocation certificate.
- On the other hand, I believe certbot specifically recommends to users to back up its configuration files (including the account key), somewhere else, so storing your account key elsewhere is probably a good idea, and if you do so and somebody literally steals your server with the certificate key on it such that you don't have it then the account key would let you do the revocation that ought to happen.
- But, weirdly, about a month and a half ago Let's Encrypt disabled the ability to submit a revocation request for a reason of key compromise using the account key and such a request is only allowed using the certificate key itself. So you could submit the revocation, but you wouldn't be able to explicitly flag it as a key compromise revocation. That means, for instance, that it wouldn't be automatically added to the list of no-longer-issue-certificates-for-this-public-key that Let's Encrypt maintains. This change has actually caused a lot of confusion in this community, and we're still awaiting an explanation of why exactly this change was made. Here's the thread on that.
I hope that mostly answers your question.