ACME CA Comparison¶
As more public certificate authorities hop on the ACME bandwagon, it is important to understand the details and limitations of their implementations. This page will attempt to keep track of that data.
ACME CA Info¶
| Name | Free SAN Limit | Free Wildcards | Free Lifetime | Chain Info | Rate Limits | Directory Endpoint | Notes |
|---|---|---|---|---|---|---|---|
| Let's Encrypt | 100 names |  |
90 days | Chains | Policy | RSA + ECC | Service Status Staging Environment |
| BuyPass | 5 names |  |
180 days | Roots "Go SSL" | Policy | RSA + ECC | Test Environment |
| ZeroSSL | 100+ names | |
90 days | RSA Iss1/Iss2/Root ECC Iss1/Iss2/Root |
?? | RSA + ECC | Staging Endpoint Quick Start |
| SSL.com | 1 name + www | |
90 days | RSA Iss/Root ECC Iss/Root |
?? | RSA ECC |
See Warning below |
| 100+ names | |
90* days | Iss/Root | Policy | RSA + ECC | See Notes below |
- Wildcard names (if supported) count towards Subject Alternative Name (SAN) limits.
1 name + wwwmeans one domain name plus its www name variant such asexample.comandwww.example.com- Using Let's Encrypt's ECDSA-only chain currently requires your ACME account be added to an allow-list. Otherwise, your ECDSA cert will be signed by the RSA chain.
- ZeroSSL supports a custom REST API that some clients use instead of pure ACME.
- SSL.com Warning: If your SSL.com account has funds available, you will be charged for a paid 1-year certificate instead of a free 90-day certificate. There is no known way to request only a free certificate.
- Google certs have a 90 day lifetime by default but can be requested for shorter lifetimes down to 1 day. The recommended minimum lifetime is 3 days.
- Google certs do not currently support punycode/IDN domains.
ACME Spec and Feature Support¶
Some of the features in the ACME protocol are optional. Others are mandatory but not yet supported by some implementations. Here is the status of those various features in each CA.
Note
Multi-perspective validation is not part of the ACME protocol but is an important security feature for the integrity of domain validation. SXG Support is also not part of the ACME protocol but is a notable feature among free ACME CAs.
| Feature | Let's Encrypt | BuyPass | ZeroSSL | SSL.com | |
|---|---|---|---|---|---|
| (EAB) External Account Binding |
n/a | n/a | Required* | Required | Required* |
| Multi-perspective Validation |
|
|
|
|
|
| Account Key Rollover |
|
|
|
* |
|
| Account Deactivation |
|
|
|
|
|
| Account Orders |
(Planned) |
|
|
* |
|
| IP Address Identifiers |
(Planned) |
|
* |
|
|
| Pre-Authorization | |
|
|
|
|
| Authorization Deactivation |
|
|
|
|
|
| Cert Revocation |
|
 (Only using account key) |
|
|
|
| Challenge Retrying |
|
(Client must request retry) |
|
(Client must request retry) |
|
| Variable Cert Lifetime | |
|
|
|
|
| SXG Support | |
|
|
|
* |
- = Feature supported
- = Feature unsupported
- = Feature partially supported.
= Support unknown or untested- SSL.com throws "Missing Authentication Token" errors when making some calls against Account endpoints which is why those features are labeled Unsupported.
- SSL.com requires an email address in the ACME account contact field, but doesn't enforce it on creation time. Instead, it throws an "badCSR" error when you try to finalize an order from an account with an empty address.
- ZeroSSL's EAB credentials can only be used once to establish a new ACME account. Creating additional accounts requires generating new EAB credentials.
- ZeroSSL does support IP address based certificates, but not via the ACME protocol.
- Google's EAB credentials can only be used once to establish a new ACME account and expire after 7 days if not used. Creating additional accounts requires generating new EAB credentials.
- For Google SXG Certificates, you must use a different ACME directory endpoint. https://dv-sxg.acme-v02.api.pki.goog/directory