How to revoke a certificate without account key or email

@pogsoft, there is no ability to renew certificates indefinitely just based on possession of the certificate. However, there is a resource called authz in the client that refers to a successfully completed domain-control validation. An individual authz can be reused to renew/reissue a certificate without reperforming the challenge, until that authz expires. After that, the validation challenge must be reperformed in order to get a new authz to issue future certificates.

The authz lifetime was cut down to 90 days some time ago and I believe it might have been reduced further since then.

So, the other person (if they're aware of the existence of the authz and saved the associated information in their client) could issue new certificates at any time during the authz lifetime period following when the challenge was most recently successfully performed.

You're probably aware that all Let's Encrypt certificates are published publicly and that you can search them at

so you can watch to see if this happens.

[Edit: this suggestion doesn't work; see discussion below!] If you control the DNS for the domain, you can also use the Certificate Authority Authorization (CAA) protocol to prevent any new certificate issuance by Let's Encrypt (regardless of whether someone is in possession of an authz, I believe). If you want, you could set CAA records for your domain that forbid Let's Encrypt from issuing any certs. If you want to renew your own certificate, you could temporarily remove the CAA records at that time, allowing your renewal to go through, and then restore the CAA records, blocking anyone else from performing a renewal. You could maintain these records in place for at least 90 days to ensure that an authz held by someone else cannot be used for new issuance.

Edit: recently the authz validity time was lowered to 60 days, which might apply to the authz in this case.

1 Like