ACME accounts
Configure registrations against the 9 supported public CAs that speak ACME. Most are open registration; a few require External Account Binding (EAB).
Supported CAs
| CA | Cert types | EAB? | Notes |
|---|---|---|---|
| Let's Encrypt | DV | no | Free, 90-day validity, generous staging. |
| Google Trust Services | DV | yes | Free for GCP customers; EAB via Cloud Console. |
| ZeroSSL | DV | yes | Free 90-day; paid OV/EV via REST not ACME. |
| Sectigo | DV / OV / EV | yes | Enterprise contracts, multi-CA roots. |
| SSL.com | DV / OV / EV | yes | ACME directory per product line. |
| GoDaddy | DV | no | Reseller integration on the same ACME endpoint. |
| Actalis | DV / OV | yes | European CA; eIDAS QSeal options off-ACME. |
| GlobalSign | DV / OV / EV | yes | Atlas ACME; per-product directories. |
| DigiCert | DV / OV / EV | yes | CertCentral ACME endpoints per profile. |
Creating an account
- Settings → ACME Accounts → New.
- Pick the provider. The directory URL prefills; you can override for staging/UAT endpoints.
- Email — used for expiry notices from the CA itself.
- Key type — ECDSA P-256 is the right default. Use RSA-3072 only if your CA does not support ECDSA on the chosen product.
- For EAB CAs, paste the
kidand HMAC key. See EAB-bound CAs for where to find them per provider. - Save. The server generates the account key, registers with the CA, and stores both the key and the registration URL.
Staging vs production
Always create the staging account first. Issue a couple of test certs against it, prove the DNS-01 flow works, then create the production account.
The Let's Encrypt production limits are 50 certificates per registered domain per week and 5 duplicate certs per week. CertAutoPilot exposes both rate limits on the account detail page so you can see how close you are to the cap.
Rotating the account key
ACME supports key rollover via the keyChange flow — the server can generate a new account key, run keyChange against the CA, and atomically swap without interrupting issuance. There is no in-UI rollover button at present; operators trigger this from the API or by re-running registration with a new key on the host. UI surface for this is on the roadmap.
OV/EV certificates — where the organization comes from
For OV/EV certificates over ACME, the organization identity is not taken from the CSR. It is pre-validated by the CA and bound to your ACME account through EAB (External Account Binding). This is required by the CA/Browser Forum Baseline Requirements — the CA must independently vet the organization, so a self-asserted O= in a CSR can never, by itself, produce a trusted OV/EV certificate.
Consequences:
- Public CAs (GlobalSign Atlas, Sectigo, DigiCert) ignore or override the organization fields (
O,C,ST,L, and the EV jurisdiction fields) in the CSR and issue with their vetted record. The organization you pick when issuing must therefore match the CA-vetted organization tied to your EAB credentials. - Some strict CAs (notably GlobalSign Atlas) reject a request whose CSR subject conflicts with the vetted profile.
- The organization record you configure in CertAutoPilot (Settings → Organizations) is a local convenience for selection/consistency; it does not override the CA's vetted identity.
Omit organization from CSR subject toggle. On an OV/EV ACME account (account detail page), enable this to send SANs only in the CSR — no O/C/ST/L or EV fields. Use it for public CAs that derive the organization from the EAB-bound profile (and reject conflicting CSR subjects, e.g. Atlas). Leave it off for private/internal ACME CAs that do honor the CSR subject (e.g. smallstep, EJBCA), where the fields you set are used. Default: off (include organization), preserving behavior for private CAs.
Deactivating an account
Deactivation is permanent at the CA — the account cannot issue further certificates. CertAutoPilot keeps the local record (with status deactivated) so historical certificates still resolve their issuer.
API
POST /api/v1/projects/{project}/acme-accounts
GET /api/v1/projects/{project}/acme-accounts
POST /api/v1/projects/{project}/acme-accounts/{id}/rotate-key
POST /api/v1/projects/{project}/acme-accounts/{id}/deactivate