User is able to change the public key, associated with the ACME Account, without losing the history of orders. To do so, ACME client must send a new key to the keyChange URL.
The JWS must be signed with the old key. JWS payload must contain a base64url-encoded "inner JWS" with the new key in the protected header, and the old key in the payload. The "inner JWS" must be signed with the new key.
POST https://stica.peeringhub.io/acme/key-change
Content-Type: application/jose+json
Content-Length: 1464
{
"protected" : BASE64URL(
{
"alg": "ES256",
"nonce": "BCFAB5246CC547FDBDBFB07251E73A40",
"url": "https://stica.peeringhub.io/acme/key-change",
"kid": "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54"
}
),
"payload" : BASE64URL(
{
"protected" : BASE64URL(
{
"alg": "ES256",
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "I-3Vr9qBQJR7GOgRJ7uWj_6t0AO-Nh5fZnXZSzgOHsI",
"y": "4Qhp5jZI3v8lwYDK9FJNzUN3fvL_FeeeSMb2vHlOzSI",
"kid": "NEW KEY"
},
"url": "https://stica.peeringhub.io/acme/key-change"
}
),
"payload" : BASE64URL(
{
"account": "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54",
"oldKey": {
"kty": "EC",
"crv": "P-256",
"x": "4nHODmypbnfKdJd-IxbMsLwOtJqC0fPysqKFu8cssEY",
"y": "u5McBHfPXkFvlHtFM38GEmMiv2owHxPawpWfH17Y0MY",
"kid": "OLD key"
}
}
),
"signature" : "<base64url-encoded signature created with the NEW key>"
}
),
"signature" : "<base64url-encoded signature created with the OLD key>"
}
On success, server must return an empty 200 OK reply:
HTTP/1.1 200 OK
Replay-Nonce: 367CB73114264084A3BA0087AD97E88E
Content-Length: 0
