mirrors/acme2certifier
1
0
Fork 0
mirror of https://github.com/grindsa/acme2certifier.git synced 2025-12-31 01:51:01 +02:00
Code Issues Projects Releases Packages Wiki Activity
Page: Prevalidated Domain List Feature for ACME Authorization
Pages
# How to build an acme2certifier cluster on Ubuntu 22.04 <! wiki title: DEB Installation on Ubuntu 22.04 <! wiki title: External Account Binding <! wiki title: Hooks <! wiki title: Installation on Apache2 Running on Ubuntu 22.04 <! wiki title: Installation on NGINX Running on Alma Linux 9 <! wiki title: Pass Information from ACME Client to CA Handler <! wiki title: Reporting and Housekeeping <! wiki title: Support for ACME profiling <! wiki title: Support for External Databases ACME CA handler Asynchronous Mode (`async_mode`) in acme2certifier CA Handler for Microsoft Certification Authority Web Enrollment Service CA Handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA Handler for NetGuard Certificate Lifecycle Manager CA Handler for OpenXPKI CA Handler for XCA CA Handler for an OpenSSL based CA Stored on Local File System CA Polling to Check Pending Enrollment Requests CA Trigger CA handler for Digicert CertCentral CA handler for EJBCA CA handler for Entrust ECS Enterprise CA handler for Insta ActiveCMS CA handler for Insta CA handler for Microsoft Certification Authority Web Enrollment Service CA handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA handler for NetGuard Certificate Lifecycle Manager CA handler for NetGuard Certificate Manager and Insta Certifier CA handler for OpenXPKI CA handler for XCA CA handler for an openssl based CA stored on local file system CA handler using CMPv2 protocol CA handler using EST protocol CA polling to check pending enrollment requests CA trigger CA‐handler for Hashicorp Vault PKI Configuration options for acme2certifier Containerized Installation Using Apache2 or Nginx as Web Server with WSGI or Django Containerized installation DEB installation on Ubuntu 22.04 Database scheme Enrollment of End User Certificates according to RFC8823 Enrollment profiling via external account binding Example commands for acme clients External Account Binding (EAB) External Account Binding Home Hooks support Hooks How to Create Your Own CA Handler How to build am acme2certifier cluster on Ubuntu 22.04 How to build an acme2certifier cluster on Alma Linux 9 How to build an acme2certifier cluster on Ubuntu 22.04 How to contribute to this project How to create your own CA Handler Installation on Apache2 Running on Ubuntu 22.04 Installation on NGINX Running on Alma Linux 9 Installation on Nginx Running on Ubuntu 22.04 Installation on nginx running on Ubuntu 22.04 Pass Information from ACME Client to CA Handler Prevalidated Domain List Feature for ACME Authorization Proxy Support in acme2certifier Proxy support in acme2certifier RPM Installation on AlmaLinux 9 RPM installation on Alma Linux 9 RPM installation on alma Linux 9 Reporting and Housekeeping support SOAP CA Handler Prototype SOAP CA handler protopype Security Policy Support for ACME profiling Support for External Databases Support for TNAuthList Identifier and tkauth 01 Challenges Support for TNAuthList identifier and tkauth 01 challenges Upgrading acme2certifier Using cert manager to enroll certificate in Kubernetes environments acme_srv.cfg configuration options upgrading acme2certifier vault
1 Prevalidated Domain List Feature for ACME Authorization
grindsa edited this page 2025-12-27 06:11:36 +00:00
Table of Contents

Prevalidated Domain List Feature for ACME Authorization

Overview

The prevalidated_domainlist feature in the ACME Authorization module allows a2c-administrators to specify a list of DNS domains that are considered pre-authorized (prevalidated) for certificate issuance. When enabled, any ACME authorization request for a domain in this list will be automatically marked as valid, bypassing the standard ACME challenge validation process.

This feature is intended for special use cases where certain domains are trusted by policy or infrastructure, and strict validation is not required. It introduces significant security risks if misused.

How It Works

  • When a new authorization request is processed, the Authorization class checks if the requested DNS identifier matches any entry in the prevalidated_domainlist.

  • If a match is found, the authorization status is set to valid immediately, and the associated order gets marked as ready. ACME Clients following RFC8555 will then skip the challenge validation process and directly finalize the order by submitting a CSR.

  • The feature can be enabled in two ways:

    • Direct Configuration: By setting the prevalidated_domainlist option in the acme_srv.cfg configuration file.

    • ACME Profiling (EAB Profile): By enabling EAB profiling, which can dynamically provide a prevalidated_domainlist for specific accounts via the EAB handler/profile mechanism.

Enabling the Feature

1. Direct Configuration in acme_srv.cfg

Add the following to your [Authorization] section:

[Authorization]
prevalidated_domainlist: ["example.com", "trusted.example.org"]
  • The value must be a valid JSON array of domain names.
  • Restart the ACME service after changing the configuration.

2. Enabling via ACME Profiling (EAB Profile)

If you use EAB (External Account Binding) profiles, you can provide a prevalidated_domainlist for specific accounts. This is controlled by the eab_profiling and eab_handler options, and the profile data structure must include the domain list:

Example EAB profile snippet:

{
  "keyid_03": {
    "authorization": {
      "prevalidated_domainlist": ["profiled.example.com"]
    }
  }
}

When an account with key ID keyid_03 requests authorization, the specified domains will be approved for that account.

Security Implications

Warning: Enabling the prevalidated domain list feature can severely weaken the security of your ACME deployment.

  • Any domain listed in prevalidated_domainlist will be issued certificates without proof of control.
  • If the list is set globally, any client can obtain certificates for those domains.
  • Use this feature only in tightly controlled environments, such as internal PKIs or for legacy migration scenarios.
  • Always audit and restrict the list to the minimum set of domains required.
  • Consider using EAB profiling to scope prevalidation to specific accounts rather than globally.

Example Configuration

acme_srv.cfg:

[Authorization]
prevalidated_domainlist = ["internal.example.com", "vpn.example.com"]

EAB Profile JSON:

{
  "special_kid": {
    "authorization": {
      "prevalidated_domainlist": ["special.example.com"]
    }
  }
}

References

  • See the Authorization class in acme_srv/authorization.py for implementation details.
  • For EAB profiling, refer to your EAB handler and profile documentation.

Again: Use with extreme caution. This feature is for advanced administrators who understand the security trade-offs.