I've been investigating the possibility of offering an ACME compatible endpoint for local users to use to obtain certificates through our normal CA process. One of the issues I have identified is that if I were to run a local ACME server, every client would have to be configured to point at it. Some clients only have a 'staging' flag, and don't even allow specifying the full endpoint.
We could use a CAA record to prevent a cert from being issued using the default LE endpoint, but it would be nice if we could have a SRV record similar to _acmev2._tcp.example.org ..... acme.services.example.org that clients could use to auto discover what the appropriate directory endpoint is. I could see one additional requirement that the SRV record must point to a server under the same domain. Is this a crazy idea? — Justin Azoff _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme