When you create a credential for External Account Binding, an HMAC (Hash-Based Message Authentication Code) key is created for that credential. Each External Account Binding credential has its own HMAC key. Each ACMEv2 client that enrolls with an External Account Binding credential will use the HMAC key only once. An ACMEv2 client will use the HMAC key only when it initially connects to the ACMEv2 server and creates an ACMEv2 account. After the account is created, the ACMEv2 client no longer needs the key.
You can disable the HMAC key for an External Account Binding credential. Disabling a key will block new ACMEv2 clients from using the key to create an account with External Account Binding credential. ACMEv2 clients that have already used the key to create an account can still perform ACMEv2 operations if the ACMEv2 operations are enabled for the External Account Binding credential.
To disable the HMAC key for an External Account Binding credential
- On the Entrust Deployment Manager or Cryptographic Security Platform node hosting the EAB Utility, log in as sysadmin.
- Enter the following command to launch the EAB Utility:
sudo eab-util - The main menu appears:
- Select Manage EAB credentials, and then press Enter.
A list of External Account Binding credentials appears. For example:
The Key Status column displays the status of the HMAC key for each External Account Binding credential, either Enabled or Disabled. - Select the credential whose HMAC key you want to disable, and then press Enter.
A Manage EAB Credentials page appears. For example:
- Select Disable EAB Key, and then press Enter.
The Disable ACMEv2 EAB Key page appears.
- Select Disable EAB Key and press Enter.
The HMAC key for the External Account Binding credential is disabled. The Manage EAB Credentials page reappears