Certificate issuance order

In the Applying for Certificate Issuance(draft-ietf-acme-acme-10) topic of the ACME spec.

It shows that the server(letsencrypt in this case) will return a response like:

"status": "pending",
"expires": "2016-01-01T00:00:00Z",
"notBefore": "2016-01-01T00:00:00Z",
"notAfter": "2016-01-08T00:00:00Z",
"identifiers": [
{ "type:"dns", "value":"example.com" },
{ "type:"dns", "value":"www.example.com" }
"authorizations": [
"finalize": "https://example.com/acme/order/asdf/finalize"

now my question;
Since the authorizations array in the response is not in any way related/linked with the identifiers array,
How is a client supposed to now which authorization url(from the authorizations array) is linked to which domain name (from the identifiers array)?

For example in the above case, which authorization url belongs to www.example.com and which belongs to example.com

Hi @komuw, thanks for the question.

Your client needs to GET each of the authorization URLs to find out more about the authorization. Each authorization will have its own singular identifier field that will correspond to one of the plural identifiers from the order.

The only complication is that a wildcard identifier in an order is allowed to have the value "*.whatever.com", but the identifier in the corresponding authorization is not allowed to have the *. prefix, so its identifier value will be whatever.com. The way you can tell that this is actually an authorization for a wildcard identifier is that the authorization will also have a wildcard: true field.

I hope that helps explain things. The wildcard bit is a little confusing but that's the way the working group consensus went :slight_smile:


Thanks @cpu . This will help me resolve; https://github.com/komuw/sewer/issues/83

One other semi-related question;

If a client wants to request certificates for example.com and *.example.com
will the DNS records for both be:
_acme-challenge.example.com or should the wildcard have a different record?

1 Like

@komuw, you would need two TXT records for _acme-challenge.example.com, with different challenge values; one for example.com and one for *.example.com.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.