Hi, I have a large enterprise with hundreds of domains, the majority are centrally managed through one ACME client system that keeps everything in a database and centrally manages keys, DNS re-authorization, and certificate renewal. This central system has a couple acme accounts associated (one for dev/test, one for prod, one for some restricted-use domains) and handles monitoring for expirations etc.
There are a handful of ACME certs being issued outside our formal process of central management, monitoring, and renewal and I was wondering if either via the Boulder API, certificate attributes, or the transparency log it was possible for me to determine which ACME account (and maybe associated email address) was issuing those certs (there is no real good technical way for me to prevent people from doing their own HTTP-01 authorization once a DNS record is created for their app.) Alternatively, if there was a way to figure out all the certs a given ACME account has issued would be of value. I do realize for some users this may be a privacy concern, but I figured it was worth at least asking the experts.