ACME Protocol - dogtagpki/pki GitHub Wiki

Overview

Domain Validation

Client generates agent keypair and sends authentication request to server
Server generates authentication challenges and nonce and sends the response to client
Client generates authentication response and signs nonce and notifies server
Server verifies signed nonce
Server verifies authentication response
- with DNS record: _acme-challenge.<domain>.
- with well-known URI: http://<domain>/.well-known/acme-challenge/ <filename>

Certificate Issuance and Revocation

Client generates a CSR and sends a signed request to server
Server validates CSR signature and agent signature
Server generates a certificate and send it to client

Certificate Revocation

Client sends a signed request to server
Server validates the request
Server generates CRL

Public Proxy

Public proxy will accept requests from ACME client and pass them to ACME server.
ACME server will perform validation directly against ACME clients.

Private Proxy

Public proxy will accept requests from ACME client and pass them to ACME server.
ACME server will perform validation against the ACME proxy and pass the result to ACME clients.

Certificate Enrollment with New Account

Action	Request	Response
Get directory	GET /acme/directory	200
Create nonce	HEAD /acme/new-nonce	200
Create account	POST /acme/new-account	201 → account
Create order	POST /acme/new-order	201 → order
Check authorization	POST-as-GET /acme/authz/{authzID}	200
Respond to challenges	POST /acme/chall/{challengeID}	200
Poll authorization for status	POST-as-GET /acme/authz/{authzID}	200
Finalize order	POST /acme/order/{orderID}/finalize	200
Poll order for status	POST-as-GET /acme/order/{orderID}	200
Download certificate	POST-as-GET /acme/cert/{certID}	200

Certificate Enrollment with Existing Account

Action	Request	Response
Get directory	GET /acme/directory	200
Create nonce	HEAD /acme/new-nonce	200
Create order	POST /acme/new-order	201 → order
Check authorization	POST-as-GET /acme/authz/{authzID}	200
Respond to challenges	POST /acme/chall/{challengeID}	200
Poll authorization for status	POST-as-GET /acme/authz/{authzID}	200
Finalize order	POST /acme/order/{orderID}/finalize	200
Poll order for status	POST-as-GET /acme/order/{orderID}	200
Download certificate	POST-as-GET /acme/cert/{certID}	200

Pre-authorization

Action	Request	Response
Create authorization	POST /acme/new-authz	201 → authz

Revoking a Certificate

Action	Request	Response
Get directory	GET /acme/directory	200
Create nonce	HEAD /acme/new-nonce	200
Revoke certificate	POST /acme/revoke-cert	200

Creating an Account

Action	Request	Response
Get directory	GET /acme/directory	200
Create nonce	HEAD /acme/new-nonce	200
Create account	POST /acme/new-acct	200

Updating an Account

Action	Request	Response
Get directory	GET /acme/directory	200
Create nonce	HEAD /acme/new-nonce	200
Verifying existing account	POST /acme/new-acct	200
Updating account	POST /acme/acct/{accountID}	200

Unregistering an Account

Action	Request	Response
Get directory	GET /acme/directory	200
Create nonce	HEAD /acme/new-nonce	200
Verifying existing account	POST /acme/new-acct	200
Deactivating account	POST /acme/acct/{accountID}	200

RFCs

See Also

Tip	To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.

⚠️ GitHub.com Fallback ⚠️