mod_md icon indicating copy to clipboard operation
mod_md copied to clipboard

Published 20 hours ago verified publisher icon icing

Feature: externally provided account key

Open icing opened this issue 5 years ago • 3 comments

Allow the user to configure a file as primary source for an ACME account key. As in

MDAccountKey <path_to_pem_file>

which can be set globally or per MD.

On startup, read the key and

  • use it for any new account created for an MD
  • check if they key itself has changed for an existing account and perform the account key roll-over during the watchdog runs.

As of now, the user does not have control over the ACME account creation. The same account is used for all MDs on the same CA. By configuring account keys for (sets of) MDs, theses can be tailored to match domain ownership.

By providing the key via a file, the admin takes control (and ownership) of the key management, for one. But it also means she has the key to make changes to her CA account herself.

icing avatar Oct 10 '19 10:10 icing

Testing mod_md for the first time today, after many years with acme-tiny, I got stuck on the question what do with my account key. What became of this feature after such a long time? Is it possible that I'm overestimating the value of my one old precious account key and should rather play along with the account keys created on the fly by the module?

mschmitt avatar Mar 29 '23 20:03 mschmitt

The module is designed to work out of the box, without prior signup. Therefore it just registers an account and does its job. The account key is stored in the file system with root permisions, so you can get it.

It would be possible to "manually" exchange that key with your own, if you already have one. I never did that, not really caring. The one use case is certificate revocation which would require this key. mod_md does not support this by itself.

Some ACME providers have a feature called "External Account Binding" (EAB), which is supported by the module. Those providers are often more commercial and allow its users to create an EAB token to be used in installations. The account key created by a client using that EAB is then associated with your account.

icing avatar Mar 30 '23 13:03 icing

If revocation is the most likely use case, I can safely roll with the dynamic key instead of centrally maintaining one. Thanks for the feedback and your work on the module.

mschmitt avatar Mar 30 '23 17:03 mschmitt