Multiple Accounts with DigiCert

[BearThatIsGrumpy]

When you create ACME Directory URLs with DigiCert you need to select a product, so I have two separate accounts: one for single domain certs and one for multi-domain certs.

When attempting to use New-PAAccount with each of these, the first one works and the second one does not, with a 400 response from DigiCert with "eab kId mismatch". I know the EAB info is accurate for the one that doesn't work because if I do Remove-PAAccount, then Remove-PAServer, then go through my steps again reversing the order in which I'm calling New-PAAccount, the account that previously did not work does work.

I suspect this may be user error. Is there something I'm missing when attempting to use multiple accounts with the same ACME server?

Log-SingleDomainFirst.txt

Log-MultiDomainFirst.txt

[rmbolger]

Hi @BearThatIsGrumpy, thanks for reaching out. I'm not super familiar with DigiCert's ACME implementation, so most of this is going to be guess work. Nothing looks obviously wrong with the commands you're running and it's definitely weird that the first one always works regardless of which comes first.

One thing I noticed is that the directory URL you're using with Set-PAServer is the same for both. I was under the impression that DigiCert generated custom directory URLs that are associated with the EABs like what is described here:
https://docs.digicert.com/en/certcentral/certificate-tools/certificate-lifecycle-automation-guides/use-a-third-party-acme-client-for-host-automations.html#create-one-or-more-acme-directory-urls

Are you missing any querystring params or additional pieces of the directory URL? If they're different for the different products, you'd likely need to switch servers as well as accounts.

[BearThatIsGrumpy]

When I create a new DigiCert ACME URL, the value for "AMCE Directory URL" has always been the non-unique "https://acme.digicert.com/v2/acme/directory/".

I'll check with their support folks to make sure there isn't some other piece implied that I'm missing.

Thanks for the quick response!

[BearThatIsGrumpy]

I heard back from DigiCert support that their ACME URL is always "https://acme.digicert.com/v2/acme/directory/".

For now I think I have a workaround here by using different physical paths depending on the type of cert I'm working with, setting the process-scope POSHACME_HOME environment variable as needed, and re-importing Posh-ACME. Kind of clunky, but seems to work.

[rmbolger]

Hey @BearThatIsGrumpy, I had a random idea to potentially workaround this issue without needing to have a whole separate profile directory per account forever.

The accounts are separate folders within the server folder on disk. So what happens if you just manually move the account folder from one config the other after creating both? It seems like things would just work since the account key for each one doesn't change.

You could also potentially do this more elegantly using a combination of Export-PAAccountKey and New-PAAccount -ID "blah" -KeyFile .\exported.key -OnlyReturnExisting.