There are tonnes of ACME clients. And I chose not to trust all of them. Software is prone to problems and attack vectors. Just because it’s open source - is not guaranteed it wont mess with my server.
And yes, this exactly. Back end where I submit CSR would be appreciated. As I have no problem submitting CSR to compromised software. As compromised software can’t do much with my future cert.
Worst case scenario I get ‘compromised’ cert, where worst can happen to it - It gets disables. Putting potentially compromised software on my computer - compromises my whole LAN and I got significantly bigger problems as result.
Nope, not if I use CSR. And if ACME servers accept CSR, I am not using potentially compromised software I don’t trust.
purely from perspective of managing/securing my system where such keypair will be used. Nothing to do with issuance.
Unfortunately, this is not an option.
But Letsencrypt could provide simple alternative to ACME.
I have seen authorization based on DNS records working before. Perhaps Letsencrypt could look into changing its policies on delivery/verification. I have seen similar questions on your website before.
Some people WANT to submit CSR and get cert in return and NOT install questionable software, even if it’s opensource.
I am one of those who raises question. I bet a lot more people like me just pass by instead of using your service.