They also want us to buy a cert for (wildcard)learn.mysite.info and give them the private key. However, I would like to investigate using letsencrypt, instead.
Can you think of a way to empower them to deal with the *.learn.mysite.info certs themselves?
I have a theory that I could CNAME _acme-challenge.learn.mysite.info to their DNS so that they could create a TXT record to verify. However, I want to reduce the amount of guesswork on my part because I think they'll be more amenable to it if it doesn't involve trial and error.
Yes. giving a CNAME for the _acme-challenge will allow them to get their own Let's Encrypt certificate, but they'd need to know how to do that integration with their system. And for the non-wildcard certificates, if they're running a web site on that name they should be able to just use HTTP-01 authentication to get their own certificate, though again they'd need to know how to do that. And this:
Makes me think that they don't know what they're doing at all. Even if you wanted to stick with the "classic" way of doing certificates manually instead of via ACME, what would happen (and has been the case with all the vendors doing this kind of thing that I've seen) is that they would generate and use the private key, and create the CSR to give you to go get the certificate with, That way the private key stays private instead of being shared between two places. I would be very scared of actually giving money to any sort of "technology" company that can't even get this basic piece of security right. If they really knew what they were doing, they'd already be integrating with Let's Encrypt (or another CA) for that name, probably using their own CAA record on that name that you CNAME to them so that the name doesn't need to fit with whatever your policies are for certificates, and you wouldn't need to worry about it at all. (Or at least they'd have that on their roadmap, even if they were doing the give-you-a-CSR approach for now.)
You can work with their workflow and still use Let's Encrypt by manually making a certificate through DNS-01 and sending them a new private key and cert every couple months, just like you'd do with a paid CA provider (only more often because paid providers will often give you a longer-lived certificate). Or maybe even reusing the same key so you don't need to worry about securely transmitting a key to them as often. But it sure seems… awkward to me.
If you have no need [outside of this third party] for the "learn.example.com" subdomain, and they have a clue on how to use DNS and ACME, then you can simply delegate the entire subdomain to them.
This path is much more than doing multiple [overlapping] CNAMEs within your zone, but far more effective [and simpler - if you ask me].
But... they would have to handle the entire subdomain zone ["learn.example.com"] via some Internet accessible DNS servers.
And they would have to CNAME "cdn.learn.example.com" to "project.adobe..."
And then they could use an ACME client to obtain any combination of certs [within any combination of authentication methods] that are "learn.example.com" or end with ".learn.example.com".
Thanks a lot for the thorough responses. That's the kind of information and context that I'd hoped to get.
@petercooperjr, Just to clear the record for this unnamed vendor that I've slandered: I clarified with them that their request is actually for the (best practice) CSR handoff that you mentioned.
@rg305, I like the wholesale delegation idea a lot. In the near future, the vendor anticipates some host changes on their side but with full DNS delegation, I could get spare myself the upkeep. I'm verifying with my team that we don't need any of the subdomains, ourselves.
I'm very glad to hear that the vendor actually isn't that crazy after all.
So you can certainly use Let's Encrypt with a CSR workflow, it's just that you'd need to get the CSR from them, do the DNS-01 challenge, and send the cert back to them, each time. And with how long Let's Encrypt certs are good for, you'd need to do that process every couple of months. You may be able to automate parts of that process, but it'd probably be easier for the vendor if they can just integrate with ACME directly rather than trying to integrate this CSR process with you.