Skip to content

ACME CA Comparison

As more public certificate authorities hop on the ACME bandwagon, it is important to understand the details and limitations of their implementations. This page will attempt to keep track of that data.

ACME CA Info

Name Free SAN Limit Free Wildcards Free Lifetime Chain Info Rate Limits Directory Endpoint Notes
Let's Encrypt 100 names ✅ 90 days Chains Policy RSA + ECC Service Status
Staging Environment
BuyPass 5 names ❌ 180 days Roots "Go SSL" Policy RSA + ECC Test Environment
ZeroSSL 100+ names ✅ 90 days RSA Iss1/Iss2/Root
ECC Iss1/Iss2/Root
?? RSA + ECC Staging Endpoint
Quick Start
SSL.com 1 name + www ❌ 90 days RSA Iss/Root
ECC Iss/Root
?? RSA
ECC
See Warning below
Google 100+ names ✅ 90* days Iss/Root Policy RSA + ECC See Notes below
  • Wildcard names (if supported) count towards Subject Alternative Name (SAN) limits.
  • 1 name + www means one domain name plus its www name variant such as example.com and www.example.com
  • Using Let's Encrypt's ECDSA-only chain currently requires your ACME account be added to an allow-list. Otherwise, your ECDSA cert will be signed by the RSA chain.
  • ZeroSSL supports a custom REST API that some clients use instead of pure ACME.
  • SSL.com Warning: If your SSL.com account has funds available, you will be charged for a paid 1-year certificate instead of a free 90-day certificate. There is no known way to request only a free certificate.
  • Google certs have a 90 day lifetime by default but can be requested for shorter lifetimes down to 1 day. The recommended minimum lifetime is 3 days.
  • Google certs do not currently support punycode/IDN domains.

ACME Spec and Feature Support

Some of the features in the ACME protocol are optional. Others are mandatory but not yet supported by some implementations. Here is the status of those various features in each CA.

Note

Multi-perspective validation is not part of the ACME protocol but is an important security feature for the integrity of domain validation. SXG Support is also not part of the ACME protocol but is a notable feature among free ACME CAs.

Feature Let's Encrypt BuyPass ZeroSSL SSL.com Google
(EAB) External
Account Binding
n/a n/a Required* Required Required*
Multi-perspective
Validation
✅ ❌ ❌ ❌ ✅
Account
Key Rollover
✅ ✅ ❌ ❌* ✅
Account
Deactivation
✅ ✅ ✅ ✅ ✅
Account
Orders
❌ (Planned) ❌ ❌ ❌* ❌
IP Address
Identifiers
❌ (Planned) ❌ ❌* ❌ ❌
Pre-Authorization ❌ ✅ ❌ ❌ ❌
Authorization
Deactivation
✅ ✅ ✅ ✅ ✅
Cert
Revocation
✅ ⚠
(Only using account key)
✅ ✅ ✅
Challenge
Retrying
❌ ⚠
(Client must request retry)
✅ ⚠
(Client must request retry)
❌
Variable Cert Lifetime ❌ ❌ ❌ ❌ ✅
SXG Support ❌ ❌ ❌ ❌ ✅*
  • ✅ = Feature supported
  • ❌ = Feature unsupported
  • ⚠ = Feature partially supported.
  • ❓ = Support unknown or untested
  • SSL.com throws "Missing Authentication Token" errors when making some calls against Account endpoints which is why those features are labeled Unsupported.
  • SSL.com requires an email address in the ACME account contact field, but doesn't enforce it on creation time. Instead, it throws an "badCSR" error when you try to finalize an order from an account with an empty address.
  • ZeroSSL's EAB credentials can only be used once to establish a new ACME account. Creating additional accounts requires generating new EAB credentials.
  • ZeroSSL does support IP address based certificates, but not via the ACME protocol.
  • Google's EAB credentials can only be used once to establish a new ACME account and expire after 7 days if not used. Creating additional accounts requires generating new EAB credentials.
  • For Google SXG Certificates, you must use a different ACME directory endpoint. https://dv-sxg.acme-v02.api.pki.goog/directory