Peeringhub.io Stir Shaken CA Service
  • Peeringhub STI-ACME Server
  • Guides
    • Stir/Shaken Compliance Guide
    • Q and A on STI Test Plan
      • STI-PA-TC-026
      • STI-PA-TC-021
      • STI-PA-TC-019
      • STI-PA-TC-024
      • STI-PA-TC-022
      • STI-PA-TC-025
    • Purchase Subscription
    • Generating Certificate
      • Web UI
        • Renew Stir/Shaken Certificate
      • ACME protocol reference
        • Protocol Overview
        • List server directory
        • Get nonce
        • Account creation & Authorization
        • Get ACME account status
        • Order a new certificate
        • List active orders
        • Key change
        • Account deactivation
      • Desktop Client
      • Windows Command Line Client
      • Linux Command Line Client
    • Staging Environment Support
      • Configuring ACME Client
    • Getting Support
    • Troubleshoot
    • Verify a Stir/Shaken Certificate
    • Peeringhub STI-API
      • Generate Auth Token
      • Generate Private Key
      • Extract Your Private Key
      • Generate Stir/Shaken Certifiate
    • FAQ
Powered by GitBook
On this page
  1. Guides
  2. Generating Certificate
  3. ACME protocol reference

Protocol Overview

Communications between an ACME client and an ACME server are done over HTTPS, using JSON Web Signature (JWS), defined in RFC 7515.

JWS must be in a Flattened JSON Serialization format, and must include a protected header, a payload and a signature:

{
  "protected" : "<base64url-encoded header>"
  "payload" : "<base64url-encoded payload>",
  "signature" : "<base64url-encoded signature>"
}

JWS protected header should contain a set parameters:

  • "alg" - identifies the encryption algorithm (must be "ES256")

  • "nonce" - a fresh nonce value, retrieved from the ACME server

  • "url" - the requested URL (including hostname)

  • "kid" - ACME Account URL

Example of a JWS protected header:

{
  "alg" : "ES256",
  "nonce" : "B851691E46EC4EC88424473F8D0BBBD5",
  "url" : "https://stica.peeringhub.io/acme/new-order",
  "kid": "https://stica.peeringhub.io/acme/acct/45DF152CDB284EEF987FAE35C3A77FD8"
}

JWS payload should be a base64url-encoded JSON object, or an empty string. The content of JWS payload depends on the type of the request. Detached payloads are not allowed.

JWS signature must be created from the protected header concatenated with the payload (if exists):

  • String to sign: <base64url-encoded header> + . + <base64url-encoded payload>

  • If payload is empty: <base64url-encoded header>

JWS signature must be created with an EC P-256 key, associated with the ACME account, using SHA256withECDSA algorithm. ACME server does not support other encryption algorithms, as well as Elliptic Curves others than P-256.

PreviousACME protocol referenceNextList server directory

Last updated 2 years ago