Skip to content

ACME CA Comparison

As more public certificate authorities hop on the ACME bandwagon, it is important to understand the details and limitations of their implementations. This page will attempt to keep track of that data.

ACME CA Info

Let's Encrypt BuyPass ZeroSSL SSL.com Google
Free SAN Limit 100 names 5 names 100+ names 1 name + www 100+ names
Free Wildcards ✅ ❌ ✅ ❌ ✅
Free Lifetime 90 days 180 days 90 days 90 days 1*-90 days
IDN Support ✅ ✅ ✅ ✅ ❌
Chain Info Chains Roots "Go SSL" RSA Iss1/Iss2/Root
ECC Iss1/Iss2/Root
RSA Iss/Root
ECC Iss/Root
Iss/Root
Rate Limits Policy Policy ?? ?? Policy
Notes Service Status
Staging Environment
Test Environment See Notes below See Warning below Staging Endpoint
Quick Start
  • Wildcard names (if supported) count towards Subject Alternative Name (SAN) limits.
  • 1 name + www means one domain name plus its www name variant such as example.com and www.example.com
  • Using Let's Encrypt's ECDSA-only chain currently requires your ACME account be added to an allow-list. Otherwise, your ECDSA cert will be signed by the RSA chain.
  • ZeroSSL supports a custom REST API that some clients use instead of pure ACME.
  • SSL.com Warning: If your SSL.com account has funds available, you will be charged for a paid 1-year certificate instead of a free 90-day certificate. There is no known way to request only a free certificate.
  • Google certs have a 90 day lifetime by default but can be requested for shorter lifetimes down to 1 day if supported by your ACME client. The recommended minimum lifetime is 3 days.

ACME Spec and Feature Support

Some of the features in the ACME protocol are optional. Others are mandatory but not yet supported by some implementations. Here is the status of those various features in each CA.

Note

Multi-perspective validation is not part of the ACME protocol but is an important security feature for the integrity of domain validation. SXG Support is also not part of the ACME protocol but is a notable feature among free ACME CAs.

Feature Let's Encrypt BuyPass ZeroSSL SSL.com Google
(EAB) External
Account Binding
n/a n/a Required Required Required*
Multi-perspective
Validation
✅ ❌ ❌ ❌ ✅
Account
Key Rollover
✅ ✅ ❌ ❌* ✅
Account
Deactivation
✅ ✅ ✅ ✅ ✅
Account
Orders
❌ (Planned) ❌ ❌ ❌* ❌
IP Address
Identifiers
❌ (Planned) ❌ ❌* ❌ ❌
Pre-Authorization ❌ ✅ ❌ ❌ ❌
Authorization
Deactivation
✅ ✅ ✅ ✅ ✅
Cert
Revocation
✅ ⚠
(Only using account key)
✅ ✅ ✅
Challenge
Retrying
❌ ⚠
(Client must request retry)
✅ ⚠
(Client must request retry)
❌
Variable Cert Lifetime ❌ ❌ ❌ ❌ ✅
SXG Support ❌ ❌ ❌ ❌ ✅*
ACME Renewal Information (ARI) draft-03 ❌ ❌ ❌ draft-03
  • ✅ = Feature supported
  • ❌ = Feature unsupported
  • ⚠ = Feature partially supported.
  • ❓ = Support unknown or untested
  • SSL.com throws "Missing Authentication Token" errors when making some calls against Account endpoints which is why those features are labeled Unsupported.
  • SSL.com requires an email address in the ACME account contact field, but doesn't enforce it on creation time. Instead, it throws an "badCSR" error when you try to finalize an order from an account with an empty address.
  • ZeroSSL does support IP address based certificates, but not via the ACME protocol.
  • Google's EAB credentials can only be used once to establish a new ACME account and expire after 7 days if not used. Creating additional accounts requires generating new EAB credentials.
  • For Google SXG Certificates, you must use a different ACME directory endpoint. https://dv-sxg.acme-v02.api.pki.goog/directory