In the blog Announcing Certificate Profile Selection - Let's Encrypt (from Announcing Certificate Profile Selection ), the following is mentioned: An ACME client can supply a desired profile name in a new-order request: (…) If the new-order request is accepted, then the selected profile name will…

The profiles addition to ACME simultaneously allows more than a CSR can express (for example, it could allow opting into new issuance chains, signature formats, etc), provides discoverability for what options are available, and also is much simpler to use than CSRs. If anything, I hope we can some …

[image] mcpherrinm: I hope we can some day move beyond CSRs I'd be happy just to specify everything in the order json (an array of string key value pairs would remove the need to define specific named json entries at the ACME standard level), including the public key I would otherwise have sp…

It’s really useful for interoperating with other systems still. I recently set up ACME automation for a security camera that exposed CSRs in its API, for example. And there’s the whole bit about “it works ok today”. Big changes need big motivation.

can profile make change on other parts of process? like different format of finalization, auth reuse period, etc

Anything is possible on Zombo.com , but at least for us we are just intending to use profiles to affect the certificate, and not to otherwise alter the ACME protocol or anything like that.

[image] mcpherrinm: It’s really useful for interoperating with other systems still. I recently set up ACME automation for a security camera that exposed CSRs in its API, for example. Supporting the legacy systems is a good thing, but the interpretation of the CSR should be an ACME client-only …

[image] mcpherrinm: at least for us we are just intending to use profiles to affect the certificate, and not to otherwise alter the ACME protocol or anything like that That is an interesting idea, though. If you made the "modern" profiles (or any time the client specifies a profile at all) en…

[image] petercooperjr: It's to make it easy to wrap an ACME client around a system that can manage its own keys (possibly not letting you import an external private key at all) and can give you a CSR, but doesn't natively speak ACME. My logic is exactly like that. The ACME client gets the CSR…

[image] bruncsak: My logic is exactly like that. The ACME client gets the CSR, extracts the public key and the list of identifiers and submits it to the ACME server within the order object. Here, there is no change (other than extracting and submitting the public key as well). The CSR has busine…

Re: Announcing Certificate Profile Selection

Issuance Policy

petercooperjr January 23, 2025, 1:42pm 80

I guess it must be. Not only do they check the CSR signatures, as of a few years ago they required them to not be SHA-1. But that's just their system, I don't think ACME or the BRs/root programs require them to check it.

Topic		Replies	Views
Proposal: ACME Profiles Issuance Tech	18	1778	October 11, 2023
Offer a new endpoint (and ACME spec update) to list available chains Feature Requests	26	1976	September 21, 2023
What could Let’s Encrypt do to make client dev easier? Client dev	43	2762	July 9, 2022
ECDSA certificates by default and other upcoming changes in Certbot 2.0 Client dev	40	18274	June 1, 2025
Announcing Certificate Profile Selection API Announcements	0	541	January 9, 2025

Re: Announcing Certificate Profile Selection

Related topics