icing
commented
1 year ago I agree. That would be a nice feature. Note that mod_md always generates a new private key when requesting a cert.
Closed frasertweedale closed 10 months ago
icing
commented
1 year ago I agree. That would be a nice feature. Note that mod_md always generates a new private key when requesting a cert.
icing
commented
1 year ago Something like #330 ?
frasertweedale
commented
10 months ago I suppose this can be closed, now that the related PRs were merged v2.4.26 was released.
Perhaps subject to configuration, when the mod_md OCSP client observes that a monitored certificate is revoked, it should attempt to request a new certificate for the managed domain.
Additionally, mod_md could/should generate a new keypair, especially when the OCSP response specifies the
keyCompromiserevocation reason.This feature enables hosts to automatically and promptly recover when certificates are revoked. It would be especially useful in situations where a CA revokes en masse due to some discovered misconfiguration, misissuance, or compromise. Such situations have occured for publicly trusted ACME CAs including Let's Encrypt, and it should be assumed that events of this kind will continue to occur. Examples: