acumen/rotate_key

Account key rotation for ACME.

Key rotation allows you to replace your account’s key pair while maintaining account continuity.

Example

import acumen
import acumen/rotate_key
import gose/jwk
import kryptos/ec

// Generate a new key to rotate to
let new_key = jwk.generate_ec(ec.P256)

// Build and execute the key change request
let change = rotate_key.request(new_key)

let assert Ok(#(resp, ctx)) = acumen.execute(
  ctx,
  build: rotate_key.build(change, _, old_registered_key),
  send: httpc.send,
)

// Parse the response to get the new registered key
let assert Ok(new_registered_key) =
  rotate_key.response(resp, new_key, old_registered_key)

Types

RequestBuilder

opaque </>

Request builder for key rotation.

Use request to create a builder with the new key, then call build.

pub opaque type RequestBuilder

Values

build

</>

pub fn build(
  builder: RequestBuilder,
  context: acumen.Context,
  key: acumen.RegisteredKey,
) -> Result(request.Request(String), acumen.AcmeError)

Builds the HTTP request for key rotation.

Creates a nested JWS: inner payload {account, oldKey} signed with the new key, wrapped in an outer JWS signed with the old key.

request

</>

pub fn request(new_key: jwk.Jwk) -> RequestBuilder

Creates a new key rotation request builder wrapping the replacement key.

response

</>

pub fn response(
  resp: response.Response(String),
  new_key new_key: jwk.Jwk,
  old_key old_key: acumen.RegisteredKey,
) -> Result(acumen.RegisteredKey, acumen.AcmeError)

Parses the key rotation response.

Returns a new RegisteredKey with the new key and the old key’s account URL.