Protocol Overview

Communications between an ACME client and an ACME server are done over HTTPS, using JSON Web Signature (JWS), defined in RFC 7515.

JWS must be in a Flattened JSON Serialization format, and must include a protected header, a payload and a signature:

  "protected" : "<base64url-encoded header>"
  "payload" : "<base64url-encoded payload>",
  "signature" : "<base64url-encoded signature>"

JWS protected header should contain a set parameters:

  • "alg" - identifies the encryption algorithm (must be "ES256")

  • "nonce" - a fresh nonce value, retrieved from the ACME server

  • "url" - the requested URL (including hostname)

  • "kid" - ACME Account URL

Example of a JWS protected header:

  "alg" : "ES256",
  "nonce" : "B851691E46EC4EC88424473F8D0BBBD5",
  "url" : "",
  "kid": ""

JWS payload should be a base64url-encoded JSON object, or an empty string. The content of JWS payload depends on the type of the request. Detached payloads are not allowed.

JWS signature must be created from the protected header concatenated with the payload (if exists):

  • String to sign: <base64url-encoded header> + . + <base64url-encoded payload>

  • If payload is empty: <base64url-encoded header>

JWS signature must be created with an EC P-256 key, associated with the ACME account, using SHA256withECDSA algorithm. ACME server does not support other encryption algorithms, as well as Elliptic Curves others than P-256.

Last updated