The question here is one of making a business case to run some critical infrastructure with an ACME client that receives certificates from LetsEncrypt.
Basic resilience and business continuity principles dictate we should also have a fallback strategy available, in case LetsEncrypt should stop hosting their service. Ideally, I would like to identify one other business who is willing to respond to ACME requests and provide CA signed certificates (presumably for $$$).
To my surprise I can find no other vendor offering this.
Note, I am not asking whether LetsEncrypt is planning to stop hosting their service to me. Of course they do not appear to be. This is a matter of risk management and disaster recovery. And arguing my business case to someone who may quite rightly shut it down for missing important security architecture pieces.
We have had some other threads about this in the past and so far the answer is that there is no other CA actively operating with a similar technology and model to Let’s Encrypt’s. (Some of the other threads related to jurisdictional risk around Let’s Encrypt’s location in the U.S., and a desire on some users’ part to have CAs operating from other countries.)
I think it would be useful to have a somewhat wider institutional and geographic diversity for operation of infrastructure of this sort, but I don’t think that’s happened yet, so we probably can’t satisfy your concerns about fallback plans today.
Also note that the ACME spec hasn’t been finalized yet (I’m pretty sure, at least), so other CAs may not invest fully in widely deploying it until that happens.
In preparation, make sure your ACME client supports being configured to use different CAs and the upcoming-final ACMEv2 spec. (For instance, I know that xenolf/lego and Caddy will do so.)
If one reads the ACME IETF mailing list and looks through the history, there are claims by numerous CAs that they have ACME implementations both in development and production which are available.
As far as I know, none of these CAs publicly advertise an ACME interface, but it’s quite possible that one is available for customer’s who’ve engaged with those CAs about the need.
I think there were references to both BuyPass and Digicert having various stages of testing concepts, with maybe BuyPass suggesting they were running limited trials in production. Those might be places to start.
There are also, of course, CAs with automated APIs that do not use the ACME protocol but provide similar features (presumably for $$$). It may be a huge amount of engineering work, but you could integrate with them as well.
I have done a project with this technology where there was a mix of internal CA’s, Public CA’s and Dev CA’s (underpinned by Digicert Trusted Cert)
