Key change

User is able to change the public key, associated with the ACME Account, without losing the history of orders. To do so, ACME client must send a new key to the keyChange URL.

The JWS must be signed with the old key. JWS payload must contain a base64url-encoded "inner JWS" with the new key in the protected header, and the old key in the payload. The "inner JWS" must be signed with the new key.

POST https://stica.peeringhub.io/acme/key-change
Content-Type: application/jose+json
Content-Length: 1464
{
  "protected" : BASE64URL(
    {
      "alg": "ES256",
      "nonce": "BCFAB5246CC547FDBDBFB07251E73A40",
      "url": "https://stica.peeringhub.io/acme/key-change",
      "kid": "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54"
    }
  ),
  "payload" : BASE64URL(
    {
      "protected" : BASE64URL(
        {
          "alg": "ES256",
          "jwk": {
            "kty": "EC",
            "crv": "P-256",
            "x": "I-3Vr9qBQJR7GOgRJ7uWj_6t0AO-Nh5fZnXZSzgOHsI",
            "y": "4Qhp5jZI3v8lwYDK9FJNzUN3fvL_FeeeSMb2vHlOzSI",
            "kid": "NEW KEY"
          },
          "url": "https://stica.peeringhub.io/acme/key-change"
        }
      ),
      "payload" : BASE64URL(
        {
          "account": "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54",
          "oldKey": {
            "kty": "EC",
            "crv": "P-256",
            "x": "4nHODmypbnfKdJd-IxbMsLwOtJqC0fPysqKFu8cssEY",
            "y": "u5McBHfPXkFvlHtFM38GEmMiv2owHxPawpWfH17Y0MY",
            "kid": "OLD key"
          }
        }
      ),
      "signature" : "<base64url-encoded signature created with the NEW key>"
    }
  ),
  "signature" : "<base64url-encoded signature created with the OLD key>"
}

On success, server must return an empty 200 OK reply:

HTTP/1.1 200 OK
Replay-Nonce: 367CB73114264084A3BA0087AD97E88E
Content-Length: 0

PreviousList active orders NextAccount deactivation

Last updated 3 years ago