ACME providers beside Let’s Encrypt do you use?
Daniel Nashed – 3 December 2020 23:51:34
Is someone using other ACME providers then Let's Encrypt to request web server certificates? I have been playing with all applications/services I found...
Pebble and Boulder are just test servers for ACME client developers.
You can't really use them for anything production.
The certificates are not trusted and when you restart the server, all your accounts are gone.
But SmallStep CA is a pretty interesting project and I have blogged about some weeks ago.
There are two other ACME enabled CAs which provide freemium services.
ZeroSSL needs an account which you can register for free. And than the ACME client needs to support external account binding (EAB).
In this case an API token generated with your account, which is used by the ACME protocol when registering an ACME account.
BuyPass has also free SSL certificates.
I found the following limitations and functionality so far when playing with those two providers:
ZeroSSL
- No ACME account rollover
- Maximum NIST P-384
- Does support certificate revocation
BuyPass
- Only RSA for ACME account
- Does support ACME account rollover
- Maximum NIST P256 certs
- Does support certificate revocation
- Certificate is valid for 6 month -- which is great for testing but for production you want short certificate life time and we have automatic renewal via ACME anyway.
Here is the list of all implementation I looked into.
Let's Encrypt Production
https://letsencrypt.org
Let's Encrypt Staging
https://letsencrypt.org/docs/staging-environment/
Let's Encrypt Boulder
https://github.com/letsencrypt/boulder
Let's Encrypt Pebble
https://github.com/letsencrypt/pebble
ZeroSSL - requires external account binding (EAB)
https://zerossl.com
BuyPass
https://buypass.com/
SmallStep ACME CA
https://smallstep.com/docs/tutorials/acme-challenge
- Comments [2]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}