Sven A Rajala <[email protected]> wrote: > server. When I explain that customers I tell them it’s like 2FA for > your ACME enrollments. It’s commonly used with customers I work with > too for their private ACME PKI enrollments.
Yeah, it's "like" 2FA, but really, it's 1FA, as the account key seems TOFU :-)
Does your ACME capable server support any further per-issuance authorization?
Not within ACME, but occuring via some out-of-band.
> There is support for private/pub key to use as well as the option
> Micheal mentioned below. I don’t recall what ACME clients support it
> though.
Stock certbot seems to support it.
I'm a bit surprised, given that it's a bearer token, that it winds up on the
command line, (vs reading from a file). But I also suspect that makes it
more easily automated via puppet/ansible/cloud-init/etc.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
