Skip to main content

Draft support for ACME Profiles

· 3 min read
Christopher Cook
Christopher Cook
Lead Developer of Certify The Web

We have implement support for the ACME Profiles extension, a new feature designed to enhance the Automated Certificate Management Environment (ACME) protocol. This extension allows ACME Servers to offer a selection of different certificate profiles to ACME Clients, making it easier for clients to request the specific type of certificate they need.

ACME Profiles are a new proposed extension to the ACME standard allows CAs to offer certificates with different features depending on user preferences.

https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/

This feature will be available in the next major release of Certify Certificate Manager and Certify Management Hub.

What are ACME Profiles?

ACME Profiles provide a way for Certificate Authorities (CAs) to advertise the different types of certificates they can issue. For example, a CA might offer a certificate with a shorter lifetime and different key usage constraints. By selecting a profile, clients can ensure they receive a certificate that meets their specific requirements.

Key Features

Improved Flexibility

ACME Profiles make it easier for CAs to introduce new and improved certificate types. Clients can quickly adopt these new profiles without needing to change their existing workflows or configurations.

Enhanced Security

By moving profile selection out of the CSR and into the ACME protocol, ACME Profiles reduce the risk of compliance incidents caused by incorrect or malicious CSR values. This helps ensure that certificates are issued according to the CA's policies and standards.

How It Works

Server Advertisements

ACME Servers that support profiles will include a new profiles field in their Directory object. This field lists the available profiles and provides human-readable descriptions or URLs to documentation.

Client Requests

When creating a new Order, clients can specify the desired profile in the profile field of the Order object. The server will then issue a certificate that matches the selected profile.

In Certify Certificate Manager and Certify Management Hub this will be available as an option under under Certificate > Advanced > Certificate Authority.

Current Implementations

Let's Encrypt's Boulder ACME Server software fully implements the ACME Profiles extension. Although profiles are not yet configured in Let's Encrypt's Production and Staging environments, the Pebble ACME Server testbed also supports this extension.

Conclusion

The ACME Profiles extension is a significant step forward in providing flexibility and preferences in automated certificate management. By allowing clients to select predefined profiles, it reduces complexity, enhances security, and provides greater flexibility for both clients and CAs.

We encourage you to explore the ACME Profiles feature when it becomes available and provide feedback to help us continue improving this important protocol.