An Automatic Certificate Management Environment Profile for Generating Delegated Certificates
RFC 9115, “An Automatic Certificate Management Environment Profile for Generating Delegated Certificates”, is a Proposed Standard document published in September 2021 by Y. Sheffer, D. López, A. Pastor Perales, T. Fossati. The canonical text is published by the RFC Editor.
Abstract
This document defines a profile of the Automatic Certificate Management Environment (ACME) protocol by which the holder of an identifier (e.g., a domain name) can allow a third party to obtain an X.509 certificate such that the certificate subject is the delegated identifier while the certified public key corresponds to a private key controlled by the third party. A primary use case is that of a Content Delivery Network (CDN), the third party, terminating TLS sessions on behalf of a content provider (the holder of a domain name). The presented mechanism allows the holder of the identifier to retain control over the delegation and revoke it at any time. Importantly, this mechanism does not require any modification to the deployed TLS clients and servers.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9115 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9117 Revised Validation Procedure for BGP Flow Specifications
- RFC 9118 Enhanced JSON Web Token Claim Constraints for Secure Telephone Identity Revisited Certificates
- RFC 9119 Multicast Considerations over IEEE 802 Wireless Media
- RFC 9120 Nameservers for the Address and Routing Parameter Area Domain
- RFC 9109 Network Time Protocol Version 4: Port Randomization
- RFC 9108 YANG Types for DNS Classes and Resource Record Types
- RFC 9107 BGP Optimal Route Reflection
- RFC 9106 Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications