ACME CA Comparison

As more public certificate authorities hop on the ACME bandwagon, it is important to understand the details and limitations of their implementations. This page will attempt to keep track of that data for public CAs offering free certificates via ACME.

ACME CA Info

	Let's Encrypt	Google	ZeroSSL	SSL.com	Actalis
Free SAN Limit	100 names	100+ names	100+ names	1 name + www	1 name + www
Free Wildcards
Free Lifetime	90 days	1*-90 days	90 days	90 days	90 days
IDN Support
Chain Info	Chains	Iss/Root	RSA Iss1/Iss2/Root ECC Iss1/Iss2/Root	RSA Iss/Root ECC Iss/Root	Iss/Root
Rate Limits	Policy	Policy	??	??	??
Notes	Service Status Staging Environment	Staging Endpoint Quick Start	See Notes below	See Warning below	CPS and Audit Docs

• Wildcard names (if supported) count towards Subject Alternative Name (SAN) limits.
• 1 name + www means one domain name plus its www name variant such as example.com and www.example.com
• ZeroSSL supports a custom REST API that some clients use instead of pure ACME.
• SSL.com Warning: If your SSL.com account has funds available, you will be charged for a paid 1-year certificate instead of a free 90-day certificate. There is no known way to request only a free certificate.
• Google certs have a 90 day lifetime by default but can be requested for shorter lifetimes down to 1 day if supported by your ACME client. The recommended minimum lifetime is 3 days.
• BuyPass has been removed from this page since they stopped offering free certs via ACME on October 15, 2025.

ACME Spec and Feature Support

Some of the features in the ACME protocol are optional. Others are mandatory but not yet supported by some implementations. Here is the status of those various features in each CA.

Note

Multi-perspective validation is not part of the ACME protocol but is an important security feature for the integrity of domain validation. SXG Support is also not part of the ACME protocol but is a notable feature among free ACME CAs.

Feature	Let's Encrypt	Google	ZeroSSL	SSL.com	Actalis
(EAB) External Account Binding	Not Needed	Required*	Required	Required	Required
Multi-perspective Validation
Account Key Rollover				*	*
Account Deactivation
Account Orders	(Planned)			*	*
IP Address Identifiers	(Planned)	*	*
Pre-Authorization
Authorization Deactivation					*
Cert Revocation					(Only via account key)
Challenge Retrying				(Client must request)	*
Variable Cert Lifetime
SXG Support		*
ACME Renewal Information (ARI)

• = Feature supported
• = Feature unsupported
• = Feature partially supported.
• = Support unknown or untested
• SSL.com throws "Missing Authentication Token" errors when making some calls against Account endpoints which is why those features are labeled Unsupported.
• SSL.com requires an email address in the ACME account contact field, but doesn't enforce it on creation time. Instead, it throws an "badCSR" error when you try to finalize an order from an account with an empty address.
• ZeroSSL does support IP address based certificates, but not via the ACME protocol.
• Google's EAB credentials can only be used once to establish a new ACME account and expire after 7 days if not used. Creating additional accounts requires generating new EAB credentials.
• Google conditionally offers IP certificates for customers who provide a valid business need.
• For Google SXG Certificates, you must use a different ACME directory endpoint. https://dv-sxg.acme-v02.api.pki.goog/directory
• Actalis advertises the key rollover endpoint, but it throws an error.
• Actalis account objects have the orders field, but it does not currently return orders for the account.
• Actalis does not cache authorizations. Attempting to deactivate one doesn't throw an error, but is not required.
• Actalis puts failed challenges into the processing status implying they will retry, but they never do. Explicit retry requests also don't seem to work.