How to identify a certificate came from a specific directory?

Having a certificate, the according private key, the list of expected domains I'd like to use the certificate for and the ACME directory I intend to use, I would like to determine if the certificate needs renewal. I'd like to renew if any of the following are true:

  • the private key does not match
  • the CN and SAN-s do not match what I expect
  • the expiry is sooner than 30 days
  • the issuer is not the one provided by the specific directory.

Note that any of these criteria might change during runtime, so I am polling checks every now and then, and renewing if necessary.

The first three conditions are easy to check, but how can I determine that the issuer of the certificate is not the one I would expect? As in, say the certificate was issued by the staging directory, but I switched to a live server in the meantime? Or better yet, I changed from a third party directory to ACME, or vica-versa?

As far as I see, there is not way in the protocol to get the issuer's/root's CN or certificate given a directory URL, you can't know in advance who will sign the certificate you will be getting.
Yes I "could" store the directory url with the certificate, but would like to know if there is any way to do this without that.
Is there a way to store an opaque data in the certificate itself? Send it in the CSR, and get it back in the signed certificate? Say the directory URL?

At least for LE, I just check the issuer | CN values. Test certs will have the string (STAGING)

Example, from openssl:

issuer=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3

Production certs have various values (here) but I just assume production if not staging.

I don't understand this part. At least for LE the directory for staging is different than production. And, a third-party directory will be different than either LE one.

There is more than just directory which dictates the "kind" of cert though. For example, switching between RSA and ECDSA you might want to reissue before expiry period so you'd need discrete checks for that. Although, I don't know why you'd need to force an early renewal in this case.

3 Likes

No, Let's Encrypt will not preserve arbitrary fields set in the CSR (e.g. organisation name etc) because it doesn't validate these, it only validates the domains so that's all it preserves in the cert.

If you control the ACME client in question you can however store the certs under a path which also indicates the source directory (domain), or write them to a database with associated metadata etc.

5 Likes

As it seems you are writing a fairly sophisticated ACME client, I also want to point out that ARI will be useful to you:

ARI does not yet exist in production, but eventually will.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.