I've been investigating the possibility of offering an ACME compatible endpoint 
for local users
to use to obtain certificates through our normal CA process.  One of the issues 
I have identified
is that if I were to run a local ACME server, every client would have to be 
configured to point at it.
Some clients only have a 'staging' flag, and don't even allow specifying the 
full endpoint.

We could use a CAA record to prevent a cert from being issued using the default 
LE endpoint, but
it would be nice if we could have a SRV record similar to

   _acmev2._tcp.example.org ..... acme.services.example.org

that clients could use to auto discover what the appropriate directory endpoint 

I could see one additional requirement that the SRV record must point
to a server under the same domain.

Is this a crazy idea?

Justin Azoff

Acme mailing list

Reply via email to