smallstep
ACME: Profile support
Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
Any plan to implement ACME profile support as explained here
https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/
example with let'sencrypt https://letsencrypt.org/2025/01/09/acme-profiles https://letsencrypt.org/docs/profiles/
supported by client LEGO Support draft-ietf-acme-profiles-00: Profiles Extension Cert-manager https://cert-manager.io/docs/releases/release-notes/release-notes-1.18/#acme-certificate-profiles
Why is this needed?
By selecting a certificate profile, certificates with different traits can be generated by the CA. For example, Let's Encrypt will use the tlsserver profile to generate certificates tailored specifically towards TLS server usage, and shortlived to generate six-day certificates rather than the default 90 days. See the link for details.
Hey @tuxtof, thank you for opening this issue.
We've been following progress on the draft for a while, and we think it's a nice addition to ACME. While we think it would be a nice addition to step-ca too, we've currently not planned support for it. We're open to community contributions.
Functionally we've been supporting similar functionality through our ACME provisioner. By creating multiple ACME provisioners with different settings and/or templates, what you get in practice is very similar to what ACME profiles are about.
An implementation of ACME profile support could thus work as a layer on top of our existing ACME provisioner, with the profile identifier pointing to a specific ACME provisioner with corresponding settings. The implementation may need some additional changes to ensure that ACME accounts can be used through multiple provisioners and/or check if ACME clients will automatically handle this case.
