“pki-validation” directory - CABF Ballot 169 Domain Validation Methods

Is Let’s Encrypt planning to switch to the “.well-known/pki-validation” directory in lieu of “.well-known/acme-validation”?

^^ Based on the above, it sounds like every CA is expected to implement a change to this directory, but I see nothing of this in the latest ACME draft.

If so, will this impact current issuance from Let’s Encrypt via the current production endpoint?

Hi @FGasper,

The implications of this ballot from back in August of last year have come up before (can’t find a handy link now).

The new text introduced by Ballot 169 says:

Confirming the Applicant’s control over the requested FQDN by confirming one of the following under the “/.well-known/pki-validation” directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port:

The key part is or another path registered with IANA for the purpose of Domain Validation.

You’ll find that the ACME path is already on the IANA registry for this purpose.

There won’t be any change required to the validation path and no impact on the production endpoint.

Hope that helps,


Thanks for the quick response! :slight_smile:

1 Like

No problem!

I updated the title of this thread so that hopefully the next time it comes up I’ll be able to find this thread & link here.

Thanks for asking!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.