certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Add ARI support

Open hslatman opened this issue 9 months ago • 2 comments

Discussed in https://github.com/smallstep/certificates/discussions/2160

Originally posted by juju4 February 9, 2025 https://datatracker.ietf.org/doc/html/draft-ietf-acme-ari-07#name-getting-renewal-information https://community.letsencrypt.org/t/ari-implementations/218730/15

I tested with ansible module community.crypto.acme_ari_info and it returned "The ACME endpoint does not support ACME Renewal Information retrieval"

hslatman avatar Feb 10 '25 10:02 hslatman

We discussed this feature request internally and have decided not to prioritize at this time.

Step CA aims to robustly implement the basic functionality of the ACME spec, as it relates to a private PKI. We do not believe this feature falls within this scope.

That said, we are open to having our minds changed by members of the community.

dopey avatar Feb 20 '25 05:02 dopey

@dopey after reading the RFC, I think https://datatracker.ietf.org/doc/html/draft-ietf-acme-ari-07#section-5 might be interesting to support, as it allows to get a lineage of certificates issued through ACME renewals. It's described independent of ARI, and I think it can work without it, but I don't know if that's what will happen in practice with ACME clients adopting ARI.

A very naive implementation of ARI could suggest renewal times that are within the certificates last third or half of validity. Something that's more stateful will require more configuration.

hslatman avatar Feb 20 '25 09:02 hslatman