Movatterモバイル変換

Automated Certificate Management Environment (ACME) Protocol

Created: 2019-01-02
Last Updated: 2025-11-25
Available Formats

Registries Included Below

ACME Account Object Fields

Registration Procedure(s)

Specification Required

Expert(s)

Richard Barnes, Aaron Gable

Reference

[RFC8555]

Available Formats

CSV

Field Name	Field Type	Requests	Reference
status	string	new, account	[RFC8555]
contact	array of string	new, account	[RFC8555]
externalAccountBinding	object	new	[RFC8555]
termsOfServiceAgreed	boolean	new	[RFC8555]
onlyReturnExisting	boolean	new	[RFC8555]
orders	string	none	[RFC8555]
delegations	string	none	[RFC9115]

ACME Order Object Fields

Registration Procedure(s)

Specification Required

Expert(s)

Richard Barnes, Aaron Gable

Reference

[RFC8555]

Available Formats

CSV

Field Name	Field Type	Configurable	Reference
status	string	false	[RFC8555]
expires	string	false	[RFC8555]
identifiers	array of object	true	[RFC8555]
notBefore	string	true	[RFC8555]
notAfter	string	true	[RFC8555]
error	string	false	[RFC8555]
authorizations	array of string	false	[RFC8555]
finalize	string	false	[RFC8555]
certificate	string	false	[RFC8555]
auto-renewal	object	true	[RFC8739]
star-certificate	string	false	[RFC8739]
allow-certificate-get	boolean	true	[RFC9115]
delegation	string	true	[RFC9115]
replaces	string	true	[RFC9773]

ACME Authorization Object Fields

Registration Procedure(s)

Specification Required

Expert(s)

Richard Barnes, Aaron Gable

Reference

[RFC8555]

Available Formats

CSV

Field Name	Field Type	Configurable	Reference
identifier	object	true	[RFC8555]
status	string	false	[RFC8555]
expires	string	false	[RFC8555]
challenges	array of object	false	[RFC8555]
wildcard	boolean	false	[RFC8555]
subdomainAuthAllowed	boolean	false	[RFC9444]

ACME Error Types

Registration Procedure(s)

Specification Required

Expert(s)

Richard Barnes, Aaron Gable

Reference

[RFC8555]

Available Formats

CSV

Type	Description	Reference
accountDoesNotExist	The request specified an account that does not exist	[RFC8555]
alreadyRevoked	The request specified a certificate to be revoked that has already been revoked	[RFC8555]
badCSR	The CSR is unacceptable (e.g., due to a short key)	[RFC8555]
badNonce	The client sent an unacceptable anti-replay nonce	[RFC8555]
badPublicKey	The JWS was signed by a public key the server does not support	[RFC8555]
badRevocationReason	The revocation reason provided is not allowed by the server	[RFC8555]
badSignatureAlgorithm	The JWS was signed with an algorithm the server does not support	[RFC8555]
caa	Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate	[RFC8555]
compound	Specific error conditions are indicated in the "subproblems" array	[RFC8555]
connection	The server could not connect to validation target	[RFC8555]
dns	There was a problem with a DNS query during identifier validation	[RFC8555]
externalAccountRequired	The request must include a value for the "externalAccountBinding" field	[RFC8555]
incorrectResponse	Response received didn't match the challenge's requirements	[RFC8555]
invalidContact	A contact URL for an account was invalid	[RFC8555]
malformed	The request message was malformed	[RFC8555]
orderNotReady	The request attempted to finalize an order that is not ready to be finalized	[RFC8555]
rateLimited	The request exceeds a rate limit	[RFC8555]
rejectedIdentifier	The server will not issue certificates for the identifier	[RFC8555]
serverInternal	The server experienced an internal error	[RFC8555]
tls	The server received a TLS error during validation	[RFC8555]
unauthorized	The client lacks sufficient authorization	[RFC8555]
unsupportedContact	A contact URL for an account used an unsupported protocol scheme	[RFC8555]
unsupportedIdentifier	An identifier is of an unsupported type	[RFC8555]
userActionRequired	Visit the "instance" URL and take actions specified there	[RFC8555]
autoRenewalCanceled	The short-term certificate is no longer available because the auto-renewal Order has been explicitly canceled by the IdO	[RFC8739]
autoRenewalExpired	The short-term certificate is no longer available because the auto-renewal Order has expired	[RFC8739]
autoRenewalCancellationInvalid	A request to cancel an auto-renewal Order that is not in state "valid" has been received	[RFC8739]
autoRenewalRevocationNotSupported	A request to revoke an auto-renewal Order has been received	[RFC8739]
unknownDelegation	An unknown configuration is listed in the delegation attribute of the order request	[RFC9115]
onionCAARequired	The CA only supports checking the CAA for Hidden Services in-band, but the client has not provided an in-band CAA	[RFC9799]
alreadyReplaced	The request specified a predecessor certificate that has already been marked as replaced	[RFC9773]

ACME Resource Types

Registration Procedure(s)

Specification Required

Expert(s)

Richard Barnes, Aaron Gable

Reference

[RFC8555]

Available Formats

CSV

Field Name	Resource Type	Reference
newNonce	New nonce	[RFC8555]
newAccount	New account	[RFC8555]
newOrder	New order	[RFC8555]
newAuthz	New authorization	[RFC8555]
revokeCert	Revoke certificate	[RFC8555]
keyChange	Key change	[RFC8555]
meta	Metadata object	[RFC8555]
renewalInfo	RenewalInfo object	[RFC9773]

ACME Directory Metadata Fields

Registration Procedure(s)

Specification Required

Expert(s)

Richard Barnes, Aaron Gable

Reference

[RFC8555]

Available Formats

CSV

Field Name	Field Type	Reference
termsOfService	string	[RFC8555]
website	string	[RFC8555]
caaIdentities	array of string	[RFC8555]
externalAccountRequired	boolean	[RFC8555]
auto-renewal	object	[RFC8739]
delegation-enabled	boolean	[RFC9115]
allow-certificate-get	boolean	[RFC9115]
subdomainAuthAllowed	boolean	[RFC9444]
onionCAARequired	boolean	[RFC9799]

ACME Identifier Types

Registration Procedure(s)

Specification Required

Expert(s)

Richard Barnes, Aaron Gable

Reference

[RFC8555]

Available Formats

CSV

Label	Reference
dns	[RFC8555]
ip	[RFC8738]
email	[RFC8823][RFC-ietf-emailcore-rfc5321bis-43][RFC6531]
TNAuthList	[RFC9448]
bundleEID	[RFC9891]
NfInstanceId	[3GPP TS 33.310]

ACME Validation Methods

Registration Procedure(s)

Specification Required

Expert(s)

Richard Barnes, Aaron Gable

Reference

[RFC8555]

Available Formats

CSV

Label	Identifier Type	ACME	Reference
http-01	dns	Y	[RFC8555]
dns-01	dns	Y	[RFC8555]
tls-sni-01	RESERVED	N	[RFC8555]
tls-sni-02	RESERVED	N	[RFC8555]
http-01	ip	Y	[RFC8738]
tls-alpn-01	ip	Y	[RFC8738]
tls-alpn-01	dns	Y	[RFC8737]
email-reply-00	email	Y	[RFC8823]
tkauth-01	TNAuthList	Y	[RFC9447]
onion-csr-01	dns	Y	[RFC9799]
bp-nodeid-00	bundleEID	Y	[RFC9891]
tkauth-01	NfInstanceId	Y	[3GPP TS 33.310]

ACME Order Auto-Renewal Fields

Registration Procedure(s)

Specification Required

Expert(s)

Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable

Reference

[RFC8739]

Available Formats

CSV

Field Name	Field Type	Configurable	Reference
start-date	string	true	[RFC8739]
end-date	string	true	[RFC8739]
lifetime	integer	true	[RFC8739]
lifetime-adjust	integer	true	[RFC8739]
allow-certificate-get	boolean	true	[RFC8739]

ACME Directory Metadata Auto-Renewal Fields

Registration Procedure(s)

Specification Required

Expert(s)

Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable

Reference

[RFC8739]

Available Formats

CSV

Field Name	Field Type	Reference
min-lifetime	integer	[RFC8739]
max-duration	integer	[RFC8739]
allow-certificate-get	boolean	[RFC8739]

STAR Delegation CSR Template Extensions

Registration Procedure(s)

Specification Required

Expert(s)

Yaron Sheffer, Diego R. Lopez, Thomas Fossati, Aaron Gable

Reference

[RFC9115]

Available Formats

CSV

Extension Name	Extension Syntax and Reference	Mapping to X.509 Certificate Extension
keyUsage	[RFC9115, Appendix A]	[RFC5280, Section 4.2.1.3]
extendedKeyUsage	[RFC9115, Appendix A]	[RFC5280, Section 4.2.1.12]
subjectAltName	[RFC9115, Appendix A]	[RFC5280, Section 4.2.1.6] (note that only specific name formats are allowed: URI, DNS name, email address)