Possibility of using a CSR from another system

[moschroe]

I built a tool for creating letsencrypt certs, integrated with our DNS infrastructure. At this point, I could create cert and key for any service and then disseminate the files to the system/load balancer in question.

However, it would be great if the services could create CSRs and submit those to the internal cert-tool, so the private key never leaves the service system.

Can any estimation be made as to whether it would be possible and how much effort this might take? I am not familiar with ACME. Depending on the details, I might be able to contribute substantially to a solution.

[algesten]

The private key never leaves the system. The CSR is signed by the private key, but the key itself is never provided to Let's Encrypt. Given how you persist with acme-lib, you could simply extract the key from the persistence layer.

[moschroe]

Sorry for leaving this hanging, couldn't get back to it sooner.

What I meant is acme-lib supporting external CSRs, so that the system obtaining the cert from letsencrypt does not have to have the private key.

Here, in finalize(), a new CSR is created. Instead, I would like to have a finalize_with(self, csr: &X509Req, delay_millis: u64) or similar.

It is my understanding that any bad CSR (wrong domains, extensions, etc.) would be rejected by the cert provider anyway, so acme-lib would not need to do any checks.

Coupled with that, it would be great to have a counterpart in a simple way of creating and exporting a CSR for specific domains to be transferred and used in the aforementioned way.

[algesten]

Sounds sensible. PR welcome!