Skip to content

ACME Protocol

Endi S. Dewata edited this page Jan 4, 2022 · 7 revisions

Overview

Domain Validation

  • Client generates agent keypair and sends authentication request to server

  • Server generates authentication challenges and nonce and sends the response to client

  • Client generates authentication response and signs nonce and notifies server

  • Server verifies signed nonce

  • Server verifies authentication response

Certificate Issuance and Revocation

  • Client generates a CSR and sends a signed request to server

  • Server validates CSR signature and agent signature

  • Server generates a certificate and send it to client

Certificate Revocation

  • Client sends a signed request to server

  • Server validates the request

  • Server generates CRL

Public Proxy

  • Public proxy will accept requests from ACME client and pass them to ACME server.

  • ACME server will perform validation directly against ACME clients.

Private Proxy

  • Public proxy will accept requests from ACME client and pass them to ACME server.

  • ACME server will perform validation against the ACME proxy and pass the result to ACME clients.

Certificate Enrollment with New Account

Action Request Response

Get directory

GET /acme/directory

200

Create nonce

HEAD /acme/new-nonce

200

Create account

POST /acme/new-account

201 → account

Create order

POST /acme/new-order

201 → order

Check authorization

POST-as-GET /acme/authz/{authzID}

200

Respond to challenges

POST /acme/chall/{challengeID}

200

Poll authorization for status

POST-as-GET /acme/authz/{authzID}

200

Finalize order

POST /acme/order/{orderID}/finalize

200

Poll order for status

POST-as-GET /acme/order/{orderID}

200

Download certificate

POST-as-GET /acme/cert/{certID}

200

Certificate Enrollment with Existing Account

Action Request Response

Get directory

GET /acme/directory

200

Create nonce

HEAD /acme/new-nonce

200

Create order

POST /acme/new-order

201 → order

Check authorization

POST-as-GET /acme/authz/{authzID}

200

Respond to challenges

POST /acme/chall/{challengeID}

200

Poll authorization for status

POST-as-GET /acme/authz/{authzID}

200

Finalize order

POST /acme/order/{orderID}/finalize

200

Poll order for status

POST-as-GET /acme/order/{orderID}

200

Download certificate

POST-as-GET /acme/cert/{certID}

200

Pre-authorization

Action Request Response

Create authorization

POST /acme/new-authz

201 → authz

Revoking a Certificate

Action Request Response

Get directory

GET /acme/directory

200

Create nonce

HEAD /acme/new-nonce

200

Revoke certificate

POST /acme/revoke-cert

200

Creating an Account

Action Request Response

Get directory

GET /acme/directory

200

Create nonce

HEAD /acme/new-nonce

200

Create account

POST /acme/new-acct

200

Updating an Account

Action Request Response

Get directory

GET /acme/directory

200

Create nonce

HEAD /acme/new-nonce

200

Verifying existing account

POST /acme/new-acct

200

Updating account

POST /acme/acct/{accountID}

200

Unregistering an Account

Action Request Response

Get directory

GET /acme/directory

200

Create nonce

HEAD /acme/new-nonce

200

Verifying existing account

POST /acme/new-acct

200

Deactivating account

POST /acme/acct/{accountID}

200

RFCs

See Also

Clone this wiki locally