Thanks for your reply. and sorry for my English expression.
I mean that, traditional CA (born before ACME existence) 's fluent to issue cert are these steps.
- Subscriber(Client) generate key-pair, make CSR request and submit it to CA.
- CA responds domain authorization credentials (DNS/HTTP、TLS/E-mail).
- Subscriber complete the domain auth(upload file to server, or add new DNS record CA provides). Then trigger check auth process.
- CA issue certs if everything goes well.
So we can figure it out, traditional fluent is CSR First then subscriber can receive domain auth challenge.
But ACME reversed these two steps, it wants Domain auth challenge first, then CSR(finalize).
I’m not sentencing anything here, I just want to tell foundation, the ACME fluent is try to improving costs that traditional CA to implement ACME.