Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

ACME providers beside Let’s Encrypt do you use?

Daniel Nashed  3 December 2020 00:51:34
Is someone using other ACME providers then Let's Encrypt to request web server certificates?
I have been playing with all applications/services I found...


Pebble and Boulder are just test servers for ACME client developers.

You can't really use them for anything production.
The certificates are not trusted and when you restart the server, all your accounts are gone.


But SmallStep CA is a pretty interesting project and I have blogged about some weeks ago.


There are two other ACME enabled CAs which provide freemium services.


ZeroSSL needs an account which you can register for free. And than the ACME client needs to support external account binding (EAB).

In this case an API token generated with your account, which is used by the ACME protocol when registering an ACME account.



BuyPass has also free SSL certificates.


I found the following limitations and functionality so far when playing with those two providers:


ZeroSSL

- No ACME account rollover

- Maximum NIST P-384

- Does support certificate revocation


BuyPass

- Only RSA for ACME account

- Does support ACME account rollover

- Maximum NIST P256 certs

- Does support certificate revocation

- Certificate is valid for 6 month -- which is great for testing but for production you want short certificate life time and we have automatic renewal via ACME anyway.



Here is the list of all implementation I looked into.


Let's Encrypt Production

https://letsencrypt.org

Let's Encrypt Staging

https://letsencrypt.org/docs/staging-environment/

Let's Encrypt Boulder

https://github.com/letsencrypt/boulder

Let's Encrypt Pebble

https://github.com/letsencrypt/pebble

ZeroSSL - requires external account binding (EAB)

https://zerossl.com

BuyPass

https://buypass.com/

SmallStep ACME CA

https://smallstep.com/docs/tutorials/acme-challenge

Comments

1Glen  03.12.2020 17:02:40  ACME providers beside Let’s Encrypt do you use?

I've used www.sslforfree.com

They are basically a front end to Zero SSL.

The main advantage is you can validate via an email instead of opening up port 80.

2Daniel Nashed  03.12.2020 22:11:18  ACME providers beside Let’s Encrypt do you use?

Hi Glen!

That's interesting! Do they have any automation using the e-mail way?

I am currently focused on ACME, but I am always interested to see alternate solutions.

-- Daniel

Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]