Post the directory URL somewhere prominent on the website

Just as a point of comparison, I tried to find the directory URL of some other ACME-supporting CAs, starting from their documentation page:

  • ZeroSSL: click on "ACME", and it's pretty prominent on top.
  • BuyPass: seemed pretty buried to me (though I haven't tried using their site before, and they seem to offer many things besides TLS certs). I searched their site for "acme", which got me to a page about Buypass Go SSL, and from there it suggests going to their "community" for technical information, which does seems to have an "endpoints" page as well as giving it in their "Get Started" guide.
  • Google: Their documentation is from the perspective of already being a user of Google Cloud services, so it's not really apples-to-apples with an entity that's "just" a CA, but their "Request a certificate using public CA" guide tries to walk through using certbot with EAB, which I suspect has enough information for someone familiar with ACME and using some other client to figure it out. They don't have a clear "endpoints" page though that I could find in a quick check, and when I went into "API Reference" it was about their Google Cloud APIs (to like, generate the EAB credentials) rather than their ACME API.
  • SSL.com: They don't seem incentivized to put ACME instructions very prominently, but under "Certificate Ordering and Validation" they have a guide for SSL/TLS Certificate Issuance and Revocation with ACME. It walks through generating the EAB credentials, and using certbot manually. (Automation doesn't seem to be their focus at all.) Interestingly, they provide a different directory URL for ECDSA vs RSA keys. But it doesn't seem like the directory URL is very prominent in the documentation to me.
  • Digicert: Doesn't offer free certs as far as I can tell, but buried in their "Certificate Lifecycle Automation Guides" is how to Use a third-party ACME client (as opposed to their proprietary ACME client), which gives instructions on how to use their web control panel to generate a directory URL just for you, with whatever custom product or validity period you want (and EAB credentials to go along with it of course).

Seems to be a wide range of what CAs provide in their documentation and how easy it is to find. They generally don't seem focused on client authors, but then again most of them want the user to configure EAB. Really I have to give the prize to ZeroSSL for making it easiest for if someone wanted to switch to them from Let's Encrypt.

8 Likes

This thread has gone on for a while, and I admit that thanks to the CABForum Face-to-Face being this week I haven't followed the whole thing. But: I agree that the directory URL could and should be more prominent, and I don't have strong opinions about where that should be. The website repo accepts pull requests!

11 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.