Hi ACME:
I listened to the audio recording of the session in addition to the notes about
“**Don't call it PEM certificate chain** (slide 21)”. I’ll separate my response
into three parts. This first part is more of a protocol/general question, that
may obviate the second part.
The ACME protocol has an Order Object that: “represents a client's request for
a certificate and is used to track the progress of that order through to
issuance.” Section 7.1.3.
Once the requirements are satisfied, a certificate gets issued, and the
“certificate” field appears with the URL* to GET the certificate. The
certificate field is supposed to be present whenever the order status is
“valid”:
o "valid": The server has issued the certificate and provisioned its
URL to the "certificate" field of the order.
Furthermore, Section 7.4:
The server MUST issue the requested certificate and update the order
resource with a URL for the certificate shortly after the client has
fulfilled the server's requirements. If the client has already
satisfied the server's requirements at the time of this request
(e.g., by obtaining authorization for all of the identifiers in the
certificate in previous transactions), then the server MUST
proactively issue the requested certificate and provide a URL for it
in the "certificate" field of the order. The server MUST, however,
still list the completed authorizations in the "authorizations"
array.
This text tells me that the ACME client should keep on polling for order status
until it switches to valid, at which point, it can get the certificate. (I
guess that the “polling interval” is supposed to be in response to
authorizations succeeding, the statuses for which are explicitly “polled” in
the text.)
So, how about supplying the certificate directly by putting it in the
certificate field in base64(url) format? Forget all this certificate URL*
stuff. It just adds unnecessary redirection and more server state that needs to
be tracked (i.e., certificate retrieval URL). The order JSON object is already
big because of the required “csr” field, so you’re not going to make it
appreciably bigger.
I would propose putting the certificate in a JSON array in the “certificate”
field of the ACME Order object. The first array element is the subject
certificate, and subsequent elements are other chain parts (which “SHOULD” be
TLS-ordered). You can write a simple Python script that parses any stored “ACME
Order” JSON file and spews out the certificate chain as your web server du jour
likes it, or spews out better error messages, like “certificates not issued yet
because of XYZ reason”.
Thanks,
Sean
*Editorial: “certificate URL” should be “certificate URI”, per RFC 3986.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
