Automated Certificate Management Environment (ACME) Protocol

Automated Certificate Management Environment (ACME) Protocol
Automated Certificate Management Environment (ACME) Protocol
Created
2019-01-02
2025-11-25
Available Formats
XML
HTML
Plain text
Registries Included Below
ACME Account Object Fields
ACME Order Object Fields
ACME Authorization Object Fields
ACME Error Types
ACME Resource Types
ACME Directory Metadata Fields
ACME Identifier Types
ACME Validation Methods
ACME Order Auto-Renewal Fields
ACME Directory Metadata Auto-Renewal Fields
STAR Delegation CSR Template Extensions
ACME Authority Token Challenge Types
ACME RenewalInfo Object Fields
ACME Account Object Fields
Registration Procedure(s)
Specification Required
Expert(s)
Richard Barnes, Aaron Gable
Reference
RFC8555
Available Formats
CSV
Field Name
Field Type
Requests
Reference
status
string
new, account
RFC8555
contact
array of string
new, account
RFC8555
externalAccountBinding
object
new
RFC8555
termsOfServiceAgreed
boolean
new
RFC8555
onlyReturnExisting
boolean
new
RFC8555
orders
string
none
RFC8555
delegations
string
none
RFC9115
ACME Order Object Fields
Registration Procedure(s)
Specification Required
Expert(s)
Richard Barnes, Aaron Gable
Reference
RFC8555
Available Formats
CSV
Field Name
Field Type
Configurable
Reference
status
string
false
RFC8555
expires
string
false
RFC8555
identifiers
array of object
true
RFC8555
notBefore
string
true
RFC8555
notAfter
string
true
RFC8555
error
string
false
RFC8555
authorizations
array of string
false
RFC8555
finalize
string
false
RFC8555
certificate
string
false
RFC8555
auto-renewal
object
true
RFC8739
star-certificate
string
false
RFC8739
allow-certificate-get
boolean
true
RFC9115
delegation
string
true
RFC9115
replaces
string
true
RFC9773
ACME Authorization Object Fields
Registration Procedure(s)
Specification Required
Expert(s)
Richard Barnes, Aaron Gable
Reference
RFC8555
Available Formats
CSV
Field Name
Field Type
Configurable
Reference
identifier
object
true
RFC8555
status
string
false
RFC8555
expires
string
false
RFC8555
challenges
array of object
false
RFC8555
wildcard
boolean
false
RFC8555
subdomainAuthAllowed
boolean
false
RFC9444
ACME Error Types
Registration Procedure(s)
Specification Required
Expert(s)
Richard Barnes, Aaron Gable
Reference
RFC8555
Available Formats
CSV
Type
Description
Reference
accountDoesNotExist
The request specified an account that does not exist
RFC8555
alreadyRevoked
The request specified a certificate to be revoked that has already been revoked
RFC8555
badCSR
The CSR is unacceptable (e.g., due to a short key)
RFC8555
badNonce
The client sent an unacceptable anti-replay nonce
RFC8555
badPublicKey
The JWS was signed by a public key the server does not support
RFC8555
badRevocationReason
The revocation reason provided is not allowed by the server
RFC8555
badSignatureAlgorithm
The JWS was signed with an algorithm the server does not support
RFC8555
caa
Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate
RFC8555
compound
Specific error conditions are indicated in the "subproblems" array
RFC8555
connection
The server could not connect to validation target
RFC8555
dns
There was a problem with a DNS query during identifier validation
RFC8555
externalAccountRequired
The request must include a value for the "externalAccountBinding" field
RFC8555
incorrectResponse
Response received didn't match the challenge's requirements
RFC8555
invalidContact
A contact URL for an account was invalid
RFC8555
malformed
The request message was malformed
RFC8555
orderNotReady
The request attempted to finalize an order that is not ready to be finalized
RFC8555
rateLimited
The request exceeds a rate limit
RFC8555
rejectedIdentifier
The server will not issue certificates for the identifier
RFC8555
serverInternal
The server experienced an internal error
RFC8555
tls
The server received a TLS error during validation
RFC8555
unauthorized
The client lacks sufficient authorization
RFC8555
unsupportedContact
A contact URL for an account used an unsupported protocol scheme
RFC8555
unsupportedIdentifier
An identifier is of an unsupported type
RFC8555
userActionRequired
Visit the "instance" URL and take actions specified there
RFC8555
autoRenewalCanceled
The short-term certificate is no longer available because the
auto-renewal Order has been explicitly canceled by the IdO
RFC8739
autoRenewalExpired
The short-term certificate is no longer available because the
auto-renewal Order has expired
RFC8739
autoRenewalCancellationInvalid
A request to cancel an auto-renewal Order that is not in
state "valid" has been received
RFC8739
autoRenewalRevocationNotSupported
A request to revoke an auto-renewal Order has been received
RFC8739
unknownDelegation
An unknown configuration is
listed in the delegation attribute of the order request
RFC9115
onionCAARequired
The CA only supports checking the CAA for Hidden
Services in-band, but the client has not provided an in-band CAA
RFC9799
alreadyReplaced
The request specified a predecessor certificate that has
already been marked as replaced
RFC9773
ACME Resource Types
Registration Procedure(s)
Specification Required
Expert(s)
Richard Barnes, Aaron Gable
Reference
RFC8555
Available Formats
CSV
Field Name
Resource Type
Reference
newNonce
New nonce
RFC8555
newAccount
New account
RFC8555
newOrder
New order
RFC8555
newAuthz
New authorization
RFC8555
revokeCert
Revoke certificate
RFC8555
keyChange
Key change
RFC8555
meta
Metadata object
RFC8555
renewalInfo
RenewalInfo object
RFC9773
ACME Directory Metadata Fields
Registration Procedure(s)
Specification Required
Expert(s)
Richard Barnes, Aaron Gable
Reference
RFC8555
Available Formats
CSV
Field Name
Field Type
Reference
string
RFC8555
website
string
RFC8555
caaIdentities
array of string
RFC8555
externalAccountRequired
boolean
RFC8555
auto-renewal
object
RFC8739
delegation-enabled
boolean
RFC9115
allow-certificate-get
boolean
RFC9115
subdomainAuthAllowed
boolean
RFC9444
onionCAARequired
boolean
RFC9799
ACME Identifier Types
Registration Procedure(s)
Specification Required
Expert(s)
Richard Barnes, Aaron Gable
Reference
RFC8555
Available Formats
CSV
Label
Reference
dns
RFC8555
ip
RFC8738
email
RFC8823
][
RFC-ietf-emailcore-rfc5321bis-43
][
RFC6531
TNAuthList
RFC9448
bundleEID
RFC9891
NfInstanceId
3GPP TS 33.310
ACME Validation Methods
Registration Procedure(s)
Specification Required
Expert(s)
Richard Barnes, Aaron Gable
Reference
RFC8555
Available Formats
CSV
Label
Identifier Type
ACME
Reference
http-01
dns
RFC8555
dns-01
dns
RFC8555
tls-sni-01
RESERVED
RFC8555
tls-sni-02
RESERVED
RFC8555
http-01
ip
RFC8738
tls-alpn-01
ip
RFC8738
tls-alpn-01
dns
RFC8737
email-reply-00
email
RFC8823
tkauth-01
TNAuthList
RFC9447
onion-csr-01
dns
RFC9799
bp-nodeid-00
bundleEID
RFC9891
tkauth-01
NfInstanceId
3GPP TS 33.310
ACME Order Auto-Renewal Fields
Registration Procedure(s)
Specification Required
Expert(s)
Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable
Reference
RFC8739
Available Formats
CSV
Field Name
Field Type
Configurable
Reference
start-date
string
true
RFC8739
end-date
string
true
RFC8739
lifetime
integer
true
RFC8739
lifetime-adjust
integer
true
RFC8739
allow-certificate-get
boolean
true
RFC8739
ACME Directory Metadata Auto-Renewal Fields
Registration Procedure(s)
Specification Required
Expert(s)
Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable
Reference
RFC8739
Available Formats
CSV
Field Name
Field Type
Reference
min-lifetime
integer
RFC8739
max-duration
integer
RFC8739
allow-certificate-get
boolean
RFC8739
STAR Delegation CSR Template Extensions
Registration Procedure(s)
Specification Required
Expert(s)
Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable
Reference
RFC9115
Available Formats
CSV
Extension Name
Extension Syntax and Reference
Mapping to X.509 Certificate Extension
keyUsage
RFC9115, Appendix A
RFC5280, Section 4.2.1.3
extendedKeyUsage
RFC9115, Appendix A
RFC5280, Section 4.2.1.12
subjectAltName
RFC9115, Appendix A
RFC5280, Section 4.2.1.6
(note that only specific name formats are allowed: URI, DNS name,
email address)
ACME Authority Token Challenge Types
Registration Procedure(s)
Specification Required
Expert(s)
Mary Barnes, Aaron Gable
Reference
RFC9447
Available Formats
CSV
Label
Description
Reference
atc
JSON Web Token (JWT) challenge type
RFC9447
ACME RenewalInfo Object Fields
Registration Procedure(s)
Specification Required
Expert(s)
Richard Barnes, Aaron Gable
Reference
RFC9773
Available Formats
CSV
Field Name
Field Type
Reference
suggestedWindow
object
RFC9773
explanationURL
string
RFC9773