Concepts

ACME Implementation

How uPKI RA implements RFC 8555 (ACME v2) for private networks.

ACME Implementation

uPKI RA is a faithful implementation of RFC 8555 — the ACME v2 protocol. All standard objects (accounts, orders, authorizations, challenges, certificates) are supported.

Protocol flow

Client                          uPKI RA                    uPKI CA
  │                                │                           │
  │  GET /acme/directory           │                           │
  │◄───────────────────────────────│                           │
  │                                │                           │
  │  POST /acme/new-account        │                           │
  │───────────────────────────────►│                           │
  │  ◄── 201 Created (account URL) │                           │
  │                                │                           │
  │  POST /acme/new-order          │                           │
  │───────────────────────────────►│                           │
  │  ◄── 201 Created (order URL)   │                           │
  │                                │                           │
  │  GET /acme/authz/{id}          │                           │
  │───────────────────────────────►│                           │
  │  ◄── 200 (challenge list)      │                           │
  │                                │                           │
  │  POST /acme/chall/{id}         │                           │
  │───────────────────────────────►│                           │
  │  ◄── 200 (challenge pending)   │                           │
  │                                │                           │
  │  [solve challenge]             │                           │
  │                                │                           │
  │  POST /acme/order/{id}/finalize│                           │
  │  (with CSR)                    │                           │
  │───────────────────────────────►│ ZMQ sign(csr, profile)   │
  │                                │──────────────────────────►│
  │                                │ ◄── {certificate, serial} │
  │  ◄── 200 (order valid)         │                           │
  │                                │                           │
  │  POST /acme/cert/{id}          │                           │
  │───────────────────────────────►│                           │
  │  ◄── 200 (PEM chain)           │                           │

Supported challenge types

Challenge	Support	Notes
`tls-alpn-01`	✅ Full	Recommended for Traefik
`http-01`	✅ Full	Standard HTTP challenge
`dns-01`	⚠️ Partial	Supported for cert-manager DNS providers

Directory endpoint

GET /acme/directory

Returns the RFC 8555 directory object pointing to all ACME endpoints. Configure your ACME client's caServer to this URL.

Nonce management

Every ACME request must include a fresh nonce. The RA issues nonces via:

HEAD /acme/new-nonce
GET  /acme/new-nonce

Account management

Endpoint	Method	Description
`/acme/new-account`	POST	Create or lookup account
`/acme/account/{id}`	POST	Update or deactivate account
`/acme/key-change`	POST	Rotate account key

By default, the RA uses the server profile when requesting certificates from the CA. To use a different profile, include it in the order's notBefore / notAfter metadata or configure the RA's default profile (future feature).

Revocation

POST /acme/revoke-cert

Accepts a signed revocation request. The RA forwards the revocation to the CA via ZMQ and removes the certificate from its active set.

State synchronisation

After every ACME operation that modifies CA state, the RA sends an acme_sync_* ZMQ message to the CA so the CA's storage stays consistent. This allows future RA instances to reconstruct state from the CA.

Edit this pageorReport an issue

Architecture

How uPKI RA is structured and how it bridges ACME clients with the uPKI CA.

Security Model

How uPKI RA authenticates requests and protects the mTLS boundary.