I've been investigating the possibility of offering an ACME compatible endpoint
for local users
to use to obtain certificates through our normal CA process. One of the issues
I have identified
is that if I were to run a local ACME server, every client would have to be
configured to point at it.
Some clients only have a 'staging' flag, and don't even allow specifying the
We could use a CAA record to prevent a cert from being issued using the default
LE endpoint, but
it would be nice if we could have a SRV record similar to
_acmev2._tcp.example.org ..... acme.services.example.org
that clients could use to auto discover what the appropriate directory endpoint
I could see one additional requirement that the SRV record must point
to a server under the same domain.
Is this a crazy idea?
Acme mailing list