Automated Certificate Management Environment (ACME) Protocol
- Created
- 2019-01-02
- Last Updated
- 2025-07-14
- Available Formats
-
XML
HTML
Plain text
Registries Included Below
- ACME Account Object Fields
- ACME Order Object Fields
- ACME Authorization Object Fields
- ACME Error Types
- ACME Resource Types
- ACME Directory Metadata Fields
- ACME Identifier Types
- ACME Validation Methods
- ACME Order Auto-Renewal Fields
- ACME Directory Metadata Auto-Renewal Fields
- STAR Delegation CSR Template Extensions
- ACME Authority Token Challenge Types
- ACME RenewalInfo Object Fields
ACME Account Object Fields
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Richard Barnes, Aaron Gable
- Reference
- [RFC8555]
- Available Formats
-
CSV
| Field Name | Field Type | Requests | Reference |
|---|---|---|---|
| status | string | new, account | [RFC8555] |
| contact | array of string | new, account | [RFC8555] |
| externalAccountBinding | object | new | [RFC8555] |
| termsOfServiceAgreed | boolean | new | [RFC8555] |
| onlyReturnExisting | boolean | new | [RFC8555] |
| orders | string | none | [RFC8555] |
| delegations | string | none | [RFC9115] |
ACME Order Object Fields
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Richard Barnes, Aaron Gable
- Reference
- [RFC8555]
- Available Formats
-
CSV
| Field Name | Field Type | Configurable | Reference |
|---|---|---|---|
| status | string | false | [RFC8555] |
| expires | string | false | [RFC8555] |
| identifiers | array of object | true | [RFC8555] |
| notBefore | string | true | [RFC8555] |
| notAfter | string | true | [RFC8555] |
| error | string | false | [RFC8555] |
| authorizations | array of string | false | [RFC8555] |
| finalize | string | false | [RFC8555] |
| certificate | string | false | [RFC8555] |
| auto-renewal | object | true | [RFC8739] |
| star-certificate | string | false | [RFC8739] |
| allow-certificate-get | boolean | true | [RFC9115] |
| delegation | string | true | [RFC9115] |
| replaces | string | true | [RFC9773] |
ACME Authorization Object Fields
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Richard Barnes, Aaron Gable
- Reference
- [RFC8555]
- Available Formats
-
CSV
| Field Name | Field Type | Configurable | Reference |
|---|---|---|---|
| identifier | object | true | [RFC8555] |
| status | string | false | [RFC8555] |
| expires | string | false | [RFC8555] |
| challenges | array of object | false | [RFC8555] |
| wildcard | boolean | false | [RFC8555] |
| subdomainAuthAllowed | boolean | false | [RFC9444] |
ACME Error Types
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Richard Barnes, Aaron Gable
- Reference
- [RFC8555]
- Available Formats
-
CSV
| Type | Description | Reference |
|---|---|---|
| accountDoesNotExist | The request specified an account that does not exist | [RFC8555] |
| alreadyRevoked | The request specified a certificate to be revoked that has already been revoked | [RFC8555] |
| badCSR | The CSR is unacceptable (e.g., due to a short key) | [RFC8555] |
| badNonce | The client sent an unacceptable anti-replay nonce | [RFC8555] |
| badPublicKey | The JWS was signed by a public key the server does not support | [RFC8555] |
| badRevocationReason | The revocation reason provided is not allowed by the server | [RFC8555] |
| badSignatureAlgorithm | The JWS was signed with an algorithm the server does not support | [RFC8555] |
| caa | Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate | [RFC8555] |
| compound | Specific error conditions are indicated in the "subproblems" array | [RFC8555] |
| connection | The server could not connect to validation target | [RFC8555] |
| dns | There was a problem with a DNS query during identifier validation | [RFC8555] |
| externalAccountRequired | The request must include a value for the "externalAccountBinding" field | [RFC8555] |
| incorrectResponse | Response received didn't match the challenge's requirements | [RFC8555] |
| invalidContact | A contact URL for an account was invalid | [RFC8555] |
| malformed | The request message was malformed | [RFC8555] |
| orderNotReady | The request attempted to finalize an order that is not ready to be finalized | [RFC8555] |
| rateLimited | The request exceeds a rate limit | [RFC8555] |
| rejectedIdentifier | The server will not issue certificates for the identifier | [RFC8555] |
| serverInternal | The server experienced an internal error | [RFC8555] |
| tls | The server received a TLS error during validation | [RFC8555] |
| unauthorized | The client lacks sufficient authorization | [RFC8555] |
| unsupportedContact | A contact URL for an account used an unsupported protocol scheme | [RFC8555] |
| unsupportedIdentifier | An identifier is of an unsupported type | [RFC8555] |
| userActionRequired | Visit the "instance" URL and take actions specified there | [RFC8555] |
| autoRenewalCanceled | The short-term certificate is no longer available because the auto-renewal Order has been explicitly canceled by the IdO | [RFC8739] |
| autoRenewalExpired | The short-term certificate is no longer available because the auto-renewal Order has expired | [RFC8739] |
| autoRenewalCancellationInvalid | A request to cancel an auto-renewal Order that is not in state "valid" has been received | [RFC8739] |
| autoRenewalRevocationNotSupported | A request to revoke an auto-renewal Order has been received | [RFC8739] |
| unknownDelegation | An unknown configuration is listed in the delegation attribute of the order request | [RFC9115] |
| onionCAARequired | The CA only supports checking the CAA for Hidden Services in-band, but the client has not provided an in-band CAA | [RFC9799] |
| alreadyReplaced | The request specified a predecessor certificate that has already been marked as replaced | [RFC9773] |
ACME Resource Types
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Richard Barnes, Aaron Gable
- Reference
- [RFC8555]
- Available Formats
-
CSV
| Field Name | Resource Type | Reference |
|---|---|---|
| newNonce | New nonce | [RFC8555] |
| newAccount | New account | [RFC8555] |
| newOrder | New order | [RFC8555] |
| newAuthz | New authorization | [RFC8555] |
| revokeCert | Revoke certificate | [RFC8555] |
| keyChange | Key change | [RFC8555] |
| meta | Metadata object | [RFC8555] |
| renewalInfo | RenewalInfo object | [RFC9773] |
ACME Directory Metadata Fields
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Richard Barnes, Aaron Gable
- Reference
- [RFC8555]
- Available Formats
-
CSV
| Field Name | Field Type | Reference |
|---|---|---|
| termsOfService | string | [RFC8555] |
| website | string | [RFC8555] |
| caaIdentities | array of string | [RFC8555] |
| externalAccountRequired | boolean | [RFC8555] |
| auto-renewal | object | [RFC8739] |
| delegation-enabled | boolean | [RFC9115] |
| allow-certificate-get | boolean | [RFC9115] |
| subdomainAuthAllowed | boolean | [RFC9444] |
| onionCAARequired | boolean | [RFC9799] |
ACME Identifier Types
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Richard Barnes, Aaron Gable
- Reference
- [RFC8555]
- Available Formats
-
CSV
| Label | Reference |
|---|---|
| dns | [RFC8555] |
| ip | [RFC8738] |
| [RFC8823][RFC-ietf-emailcore-rfc5321bis-43][RFC6531] | |
| TNAuthList | [RFC9448] |
| bundleEID | [RFC-ietf-acme-dtnnodeid-18] |
| NfInstanceId | [3GPP TS 33.310] |
ACME Validation Methods
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Richard Barnes, Aaron Gable
- Reference
- [RFC8555]
- Available Formats
-
CSV
| Label | Identifier Type | ACME | Reference |
|---|---|---|---|
| http-01 | dns | Y | [RFC8555] |
| dns-01 | dns | Y | [RFC8555] |
| tls-sni-01 | RESERVED | N | [RFC8555] |
| tls-sni-02 | RESERVED | N | [RFC8555] |
| http-01 | ip | Y | [RFC8738] |
| tls-alpn-01 | ip | Y | [RFC8738] |
| tls-alpn-01 | dns | Y | [RFC8737] |
| email-reply-00 | Y | [RFC8823] | |
| tkauth-01 | TNAuthList | Y | [RFC9447] |
| onion-csr-01 | dns | Y | [RFC9799] |
| bp-nodeid-00 | bundleEID | Y | [RFC-ietf-acme-dtnnodeid-18] |
| tkauth-01 | NfInstanceId | Y | [3GPP TS 33.310] |
ACME Order Auto-Renewal Fields
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable
- Reference
- [RFC8739]
- Available Formats
-
CSV
| Field Name | Field Type | Configurable | Reference |
|---|---|---|---|
| start-date | string | true | [RFC8739] |
| end-date | string | true | [RFC8739] |
| lifetime | integer | true | [RFC8739] |
| lifetime-adjust | integer | true | [RFC8739] |
| allow-certificate-get | boolean | true | [RFC8739] |
ACME Directory Metadata Auto-Renewal Fields
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable
- Reference
- [RFC8739]
- Available Formats
-
CSV
| Field Name | Field Type | Reference |
|---|---|---|
| min-lifetime | integer | [RFC8739] |
| max-duration | integer | [RFC8739] |
| allow-certificate-get | boolean | [RFC8739] |
STAR Delegation CSR Template Extensions
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable
- Reference
- [RFC9115]
- Available Formats
-
CSV
| Extension Name | Extension Syntax and Reference | Mapping to X.509 Certificate Extension |
|---|---|---|
| keyUsage | [RFC9115, Appendix A] | [RFC5280, Section 4.2.1.3] |
| extendedKeyUsage | [RFC9115, Appendix A] | [RFC5280, Section 4.2.1.12] |
| subjectAltName | [RFC9115, Appendix A] | [RFC5280, Section 4.2.1.6] (note that only specific name formats are allowed: URI, DNS name, email address) |
ACME Authority Token Challenge Types
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Mary Barnes, Aaron Gable
- Reference
- [RFC9447]
- Available Formats
-
CSV
| Label | Description | Reference |
|---|---|---|
| atc | JSON Web Token (JWT) challenge type | [RFC9447] |
ACME RenewalInfo Object Fields
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Richard Barnes, Aaron Gable
- Reference
- [RFC9773]
- Available Formats
-
CSV
| Field Name | Field Type | Reference |
|---|---|---|
| suggestedWindow | object | [RFC9773] |
| explanationURL | string | [RFC9773] |