ACME CA Comparison¶
As more public certificate authorities hop on the ACME bandwagon, it is important to understand the details and limitations of their implementations. This page will attempt to keep track of that data.
ACME CA Info¶
Name | Free SAN Limit | Free Wildcards | Free Lifetime | Chain Info | Rate Limits | Directory Endpoint | Notes |
---|---|---|---|---|---|---|---|
Let's Encrypt | 100 names | 90 days | Chains | Policy | RSA + ECC | Service Status Staging Environment |
|
BuyPass | 5 names | 180 days | Roots "Go SSL" | Policy | RSA + ECC | Test Environment | |
ZeroSSL | 100+ names | 90 days | RSA Iss1/Iss2/Root ECC Iss1/Iss2/Root |
?? | RSA + ECC | ||
SSL.com | 1 name + www | 90 days | RSA Iss/Root ECC Iss/Root |
?? | RSA ECC |
See Warning below |
- Wildcard names (if supported) count towards Subject Alternative Name (SAN) limits.
1 name + www
means one domain name plus its www name variant such asexample.com
andwww.example.com
- Using Let's Encrypt's ECDSA-only chain currently requires your ACME account be added to an allow-list. Otherwise, your ECDSA cert will be signed by the RSA chain.
- ZeroSSL supports a custom REST API that some clients use instead of pure ACME.
- SSL.com Warning: If your SSL.com account has funds available, you will be charged for a paid 1-year certificate instead of a free 90-day certificate. There is no known way to request only a free certificate.
ACME Spec and Feature Support¶
Some of the features in the ACME protocol are optional. Others are mandatory, but not yet supported by some implementations. Here is the status of those various features in each CA.
NOTE: Multi-perspective validation is not technically part of the ACME protocol. But it is an important security feature for the integrity of domain validation.
Feature | Let's Encrypt | BuyPass | ZeroSSL | SSL.com |
---|---|---|---|---|
(EAB) External Account Binding |
n/a | n/a | Required* | Required |
Multi-perspective Validation |
||||
Account Key Rollover |
||||
Account Deactivation |
||||
Account Orders |
||||
IP Address Identifiers |
||||
Pre-Authorization | ||||
Authorization Deactivation |
||||
Cert Revocation |
(Only using account key) |
|||
Challenge Retrying |
(Client must request retry) |
(Client must request retry) |
= Feature supported
= Feature unsupported
= Feature partially supported.
= Support unknown or untested
- SSL.com throws "Missing Authentication Token" errors when making some calls against Account endpoints which is why those features are labeled Unsupported.
- SSL.com requires an email address in the ACME account contact field, but doesn't enforce it on creation time. Instead, it throws an "badCSR" error when you try to finalize an order from an account with an empty address.
- ZeroSSL's EAB credentials can only be used once to establish a new ACME account. Creating additional accounts requires generating new EAB credentials.
- ZeroSSL does support IP address based certificates, but not via the ACME protocol.