Automated Certificate Management Environment (ACME) Protocol
2019-01-02
2024-02-02
ACME Account Object Fields
Specification Required
Richard Barnes
status
string
new, account
contact
array of string
new, account
externalAccountBinding
object
new
termsOfServiceAgreed
boolean
new
onlyReturnExisting
boolean
new
orders
string
none
delegations
string
none
ACME Order Object Fields
Specification Required
Richard Barnes
status
string
false
expires
string
false
identifiers
array of object
true
notBefore
string
true
notAfter
string
true
error
string
false
authorizations
array of string
false
finalize
string
false
certificate
string
false
auto-renewal
object
true
star-certificate
string
false
allow-certificate-get
boolean
true
delegation
string
true
ACME Authorization Object Fields
Specification Required
Richard Barnes
identifier
object
true
status
string
false
expires
string
false
challenges
array of object
false
wildcard
boolean
false
subdomainAuthAllowed
boolean
false
ACME Error Types
Specification Required
Richard Barnes
accountDoesNotExist
The request specified an account that does not exist
alreadyRevoked
The request specified a certificate to be revoked that has already been revoked
badCSR
The CSR is unacceptable (e.g., due to a short key)
badNonce
The client sent an unacceptable anti-replay nonce
badPublicKey
The JWS was signed by a public key the server does not support
badRevocationReason
The revocation reason provided is not allowed by the server
badSignatureAlgorithm
The JWS was signed with an algorithm the server does not support
caa
Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate
compound
Specific error conditions are indicated in the "subproblems" array
connection
The server could not connect to validation target
dns
There was a problem with a DNS query during identifier validation
externalAccountRequired
The request must include a value for the "externalAccountBinding" field
incorrectResponse
Response received didn't match the challenge's requirements
invalidContact
A contact URL for an account was invalid
malformed
The request message was malformed
orderNotReady
The request attempted to finalize an order that is not ready to be finalized
rateLimited
The request exceeds a rate limit
rejectedIdentifier
The server will not issue certificates for the identifier
serverInternal
The server experienced an internal error
tls
The server received a TLS error during validation
unauthorized
The client lacks sufficient authorization
unsupportedContact
A contact URL for an account used an unsupported protocol scheme
unsupportedIdentifier
An identifier is of an unsupported type
userActionRequired
Visit the "instance" URL and take actions specified there
autoRenewalCanceled
The short-term certificate is no longer available because the
auto-renewal Order has been explicitly canceled by the IdO
autoRenewalExpired
The short-term certificate is no longer available because the
auto-renewal Order has expired
autoRenewalCancellationInvalid
A request to cancel an auto-renewal Order that is not in
state "valid" has been received
autoRenewalRevocationNotSupported
A request to revoke an auto-renewal Order has been received
unknownDelegation
An unknown configuration is
listed in the delegation attribute of the order request
onionCAARequired
The CA only supports checking CAA for hidden
services in-band, but the client has not provided an in-band CAA
ACME Resource Types
Specification Required
Richard Barnes
newNonce
New nonce
newAccount
New account
newOrder
New order
newAuthz
New authorization
revokeCert
Revoke certificate
keyChange
Key change
meta
Metadata object
ACME Directory Metadata Fields
Specification Required
Richard Barnes
termsOfService
string
website
string
caaIdentities
array of string
externalAccountRequired
boolean
auto-renewal
object
delegation-enabled
boolean
allow-certificate-get
boolean
subdomainAuthAllowed
boolean
onionCAARequired
boolean
ACME Identifier Types
Specification Required
Richard Barnes
dns
ip
email
TNAuthList
ACME Validation Methods
Specification Required
Richard Barnes
http-01
dns
Y
dns-01
dns
Y
tls-sni-01
RESERVED
N
tls-sni-02
RESERVED
N
http-01
ip
Y
tls-alpn-01
ip
Y
tls-alpn-01
dns
Y
email-reply-00
email
Y
tkauth-01
TNAuthList
Y
onion-csr-01
dns
Y
ACME Order Auto-Renewal Fields
Specification Required
Yaron Sheffer, Diego R. Lopez, Thomas Fossati
start-date
string
true
end-date
string
true
lifetime
integer
true
lifetime-adjust
integer
true
allow-certificate-get
boolean
true
ACME Directory Metadata Auto-Renewal Fields
Specification Required
Yaron Sheffer, Diego R. Lopez, Thomas Fossati
min-lifetime
integer
max-duration
integer
allow-certificate-get
boolean
STAR Delegation CSR Template Extensions
Specification Required
Yaron Sheffer, Diego R. Lopez, Thomas Fossati
keyUsage
RFC9115, Appendix A
RFC5280, Section 4.2.1.3
extendedKeyUsage
RFC9115, Appendix A
RFC5280, Section 4.2.1.12
subjectAltName
RFC9115, Appendix A
RFC5280, Section 4.2.1.6
(note that only specific name formats are allowed: URI, DNS name,
email address)
ACME Authority Token Challenge Types
Specification Required
Mary Barnes
atc
JSON Web Token (JWT) challenge type