Open sergiosanzferrero opened 4 years ago
Note, while we don't currently support ACME-STAR
, our CA has a challenge-free renewal mechanism that uses mTLS for authentication (so it authenticates based on ownership of the private key of an issued certificate).
edit: not a draft
the
ACME-STAR
draft
Nitpicking :-) since a couple of months it is not in draft form anymore, see RFC8739. And yes, STAR gives you the same "passive revocation" that step-ca
implements, except the renewal schedule is decided once at registration time and managed completely server-side instead of being client-driven.
What would you like to be added
It would be great if it supports ACME-STAR compatibility. https://tools.ietf.org/html/draft-ietf-acme-star-11
Why this is needed
ACME-STAR would reduce the latency that occurs when revoking certificates using OCSP or CRL, eliminating revocation and allowing the CA itself to automatically renew the certificates unless the entity requesting the certificates requests to stop issuing certificates.