Generating Certificate Requests for Short-Term, Automatically-Renewed (STAR) Certificates

Document Type Expired Internet-Draft (individual)
Authors Yaron Sheffer  , Diego Lopez  , Oscar de Dios  , Antonio Pastor  , Thomas Fossati 
Last updated 2018-12-31 (latest revision 2018-06-29)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text xml htmlized pdfized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This memo proposes a protocol that allows a domain name owner to delegate to a third party (such as a CDN) control over a certificate that bears one or more names in that domain. Specifically the third party creates a Certificate Signing Request for the domain, which can then be used by the domain owner to request a short term and automatically renewed (STAR) certificate. This is a component in a solution where a third-party such as a CDN can terminate TLS sessions on behalf of a domain name owner (e.g., a content provider), and the domain owner can cancel this delegation at any time without having to rely on certificate revocation mechanisms.


Yaron Sheffer (
Diego Lopez (
Oscar de Dios (
Antonio Pastor (
Thomas Fossati (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)