I can't revoke my old cert from the closed beta


#1

Hey folks,

i had problems issuing a new certificate with the new api because the regr.json is overriding the —server command :frowning:

I figured out that my account created in the closed beta is only available on the staging api - not on the v01 api. There I get a nice “Error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: No registration exists matching provided key” with my key, but this is the api where the cert revocation is provided. The other staging api is only providing the old happy hacker fake CA.

How can I revoke my old certificates when I created my new one?

https://crt.sh/?id=10308507


#2

If your private key is not compromised, there is no need to revoque the old certificate. And in 21 days it will be expired.


#3

According to BR v1.3.1 section 4.9.1.1 the ca has to revoke the cerificate if the subscriber is requesting this.

"4.9. CERTIFICATE REVOCATION AND SUSPENSION
4.9.1. Circumstances for Revocation
4.9.1.1. Reasons for Revoking a Subscriber Certificate

The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs:

  1. The Subscriber requests in writing that the CA revoke the Certificate;"

According to the ISRG CPS September 22 2015 and ISRG CP September 9 2015 section 4.9.1.1 the ca is obliged to do a revocation 24x7 “The CA shall maintain a continuous 24x7 ability to accept and respond to revocation requests and related
inquiries.”

According to 4.9.3 I can request a new certificate and revoke the old certificate with the new ACME account key associated with the domain. I will test it in the comming days when I renew my old certificate.