Generating Certificate Requests for Short-Term, Automatically-Renewed (STAR) Certificates

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Last updated 2017-12-18 (latest revision 2017-06-16)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This memo proposes a protocol that allows a domain name owner to delegate to a third party (such as a CDN) control over a certificate that bears one or more names in that domain. Specifically the third party creates a Certificate Signing Request for the domain, which can then be used by the domain owner to request a short term and automatically renewed (STAR) certificate. This is a component in a solution where a third-party such as a CDN can terminate TLS sessions on behalf of a domain name owner (e.g., a content provider), and the domain owner can cancel this delegation at any time without having to rely on certificate revocation mechanisms.


Yaron Sheffer (
Diego Lopez (
Oscar de Dios (
Antonio Pastor (
Thomas Fossati (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)