Assumption: I have two accounts with Lets encrypt (maybe with different email IDs).
Account1 and Account2.
I used Account1 and created a certificate for test.playground.com
I tried to use Account2 and revoke the certificate, it doesnt work as the authorization fails.
I will create a new certificate for test.playground.com with Account2 and then it allows to revoke the first certificate created using Account1.
Now the questions are:
When would the domain validation comes into picture? Is it during account creation or during certificate creation?
When new certificate for the same domain is created with Account2, then will Account1 be able to revoke the certificate created by Account1?
(Same as point 2 in other way): Or the precedence will be with the latest account key used for creating the certificate?
Do revoking the certificate uses only Key-pair for validation or also expects domain ownership to be proven?
If account keys are different, then is there a simple way to prove the domain ownership other than creating a dummy certificate for the same domain? or is creating a new certificate order is sufficient? or any other better/simpler way?
I don't fully understand the question. Account creation never has anything to do with domain validation. It's just the creation of an account and that's it.
For certificate issuance, of course domain validation needs to be performed first.
For certificate revocation with a different account than the original account, domain validation is required for revocation to succeed. This does not necessarily also mean certificate creation, but I don't think many (or any?) ACME clients out there let you validate a hostname separately from certificate issuance.
Yes, Account1 is always able to revoke the cert it created itself.
No, no precedence. Both accounts would be able to revoke the cert.
I don't understand this question. "Key-pair for validation"? What's that?
There's no "if" in "If account keys are different". Account keys for 2 separate accounts are by definition different. If you'd try to register an account with a key that was already used, the ACME server will simply respond with the already existing account, not creating a new one.
With regard to the question itself: this depends on the ACME client. I don't think many (if any) ACME clients out there have the functionality to just validate a hostname for the purpose of revoking. I only know of clients that validate hostnames in their function of getting a cert.
I am just restating what Osiris said with some background info, so that his answers may be easier to understand:
The Validation happens when you submit an ACME Order for a Certificate. When the first account ordered the first certificate, it had to prove control over the domain to LetsEncrypt in order to get the Certificate. When the second account ordered the second certificate, it also had to prove control.
The ability of the second account to revoke the first certificate requires the second account to prove control over every domain in the first certificate. That ability exists as a backup plan for the domain to revoke certificates if their system has been compromised and they no longer have access to the account credentials (like a ransomware attack).
Yes. That ability is not lost. Many users with geographically distributed servers that host the same domain will use multiple accounts (it is not a suggested pattern, it is better to deploy one certificate to multiple regions).
The underlying logic of this revocation may help you:
LetsEncrypt caches successful validations (proving a challenge) on a given Domain against the Account for a small amount of time. (Currently this is 30 days, but it will become much shorter in the future). When a Certificate is first Ordered, a Subscriber performs a challenge and on success it is marked as "valid" for X days for that account. If that same account makes another order for a certificate that includes that domain within the next X days, the cached validation is used - so the account will not have to perform a challenge. If there are no challenges required for the domain, the Certificate order will immediately move to the finalization phase.
The "alternate account" revocation system you are leverages much of this functionality. It just allows a second account to prove they control the same domain by completing challenges and caching those validations, and using that proof of ownership to revoke the first certificate.
IIRC (edit: This is confirmed by LetsEncrypt staff below) the revocation system uses the cached validations for ownership so Account1 would only be able to revoke Account2's latter certificate if those validations were still active. I could be wrong on this.
Domain Validation is only required or used when Subscribers lose access to their Certificate and Account keys. It is a backup plan.
If you have the PrivateKey for a certificate, it can be revoked – this does not require AccountKey information, as improper possession of a PrivateKey is a security breach that requires the certificate to be revoked.
If you have the AccountKey that created a Certificate, you can revoke the Certificate.
This hinges on what I was unsure of above (LetsEncrypt staff confirmed this below, but @Osiris is more familiar with Boulder than I am, and his response suggests the ability to revoke is based on a cached validation). Creating an ACME Order and going through all the steps to validate the certificates -- but not finalizing the certificate order (which issues the certificate) -- should suffice. I don't know of any ACME clients that would support that though. It would be possible to write one that did that, or modify an existing client to exit before the finalization endpoint is called. That would be a lot of work for little utility.
Correct. Cached authorizations are only usable for revocation for the same period of time as they're usable for re-issuance. If Account 2 did its authorization+issuance 15 days after Account 1, then Account 1 would only have 15 days to revoke Account 2's certificate... until Account 1 does another authorization to prove it also controls that domain name again.
Creating a dummy certificate is almost always the easiest way. As the others have said, there are other ways -- Account 1 can always revoke its own cert, anyone in possession of the cert's private key can always revoke it, and it's technically possible to perform an authorization without then finalizing and issuing a dummy cert -- but all of those require special circumstances or specific clients. Issuing a dummy cert is easy and foolproof.