← Back to context

Comment by silverwind

3 years ago

This is actually a great suggestion and ACME providers should provide it as an opt-in feature via CAA record. Not even the provider having access to system memory could issue a mitm cert without you noticing.

The provider having access to system memory can copy the private key and use your original key+cert for MITM, unless you are using some fancy HSM.