Skip to content

ACME CA Comparison

As more public certificate authorities hop on the ACME bandwagon, it is important to understand the details and limitations of their implementations. This page will attempt to keep track of that data.

ACME CA Info

Name Free SAN Limit Free Wildcards Free Lifetime Chain Info Rate Limits Directory Endpoint Notes
Let's Encrypt 100 names ✅ 90 days Chains Policy RSA + ECC Service Status
Staging Environment
BuyPass 5 names ❌ 180 days Roots "Go SSL" Policy RSA + ECC Test Environment
ZeroSSL 100+ names ✅ 90 days RSA Iss1/Iss2/Root
ECC Iss1/Iss2/Root
?? RSA + ECC
SSL.com 1 name + www ❌ 90 days RSA Iss/Root
ECC Iss/Root
?? RSA
ECC
See Warning below
  • Wildcard names (if supported) count towards Subject Alternative Name (SAN) limits.
  • 1 name + www means one domain name plus its www name variant such as example.com and www.example.com
  • Using Let's Encrypt's ECDSA-only chain currently requires your ACME account be added to an allow-list. Otherwise, your ECDSA cert will be signed by the RSA chain.
  • ZeroSSL supports a custom REST API that some clients use instead of pure ACME.
  • SSL.com Warning: If your SSL.com account has funds available, you will be charged for a paid 1-year certificate instead of a free 90-day certificate. There is no known way to request only a free certificate.

ACME Spec and Feature Support

Some of the features in the ACME protocol are optional. Others are mandatory, but not yet supported by some implementations. Here is the status of those various features in each CA.

NOTE: Multi-perspective validation is not technically part of the ACME protocol. But it is an important security feature for the integrity of domain validation.

Feature Let's Encrypt BuyPass ZeroSSL SSL.com
(EAB) External
Account Binding
n/a n/a Required* Required
Multi-perspective
Validation
✅ ❌ ❌ ❌
Account
Key Rollover
✅ ✅ ❌ ❌*
Account
Deactivation
✅ ✅ ✅ ✅
Account
Orders
❌ (Planned) ❌ ❌ ❌*
IP Address
Identifiers
❌ (Planned) ❌ ❌* ❌
Pre-Authorization ❌ ✅ ❌ ❌
Authorization
Deactivation
✅ ✅ ✅ ✅
Cert
Revocation
✅ ⚠
(Only using account key)
✅ ✅
Challenge
Retrying
❌ ⚠
(Client must request retry)
✅ ⚠
(Client must request retry)
  • ✅ = Feature supported
  • ❌ = Feature unsupported
  • ⚠ = Feature partially supported.
  • ❓ = Support unknown or untested
  • SSL.com throws "Missing Authentication Token" errors when making some calls against Account endpoints which is why those features are labeled Unsupported.
  • SSL.com requires an email address in the ACME account contact field, but doesn't enforce it on creation time. Instead, it throws an "badCSR" error when you try to finalize an order from an account with an empty address.
  • ZeroSSL's EAB credentials can only be used once to establish a new ACME account. Creating additional accounts requires generating new EAB credentials.
  • ZeroSSL does support IP address based certificates, but not via the ACME protocol.