ACME Server Beta
RFC 8555-compliant ACME server with FIPS 140-3 validated classical cryptography and FIPS 204-conformant post-quantum signatures.
Private CA — Certificates chain to the Quantum Nexum Root CA and are not publicly trusted. Install the CA Bundle to trust issued certificates.
ACME Server
RFC 8555-compliant ACME server issuing ML-DSA (FIPS 204) certificates from the Quantum Nexum PKI hierarchy.
ACME Client
Standalone client for requesting post-quantum certificates. Works with our server or any ACME-compatible CA.
ACME Server
The Quantum Nexum ACME server implements RFC 8555 (ACME protocol) with extensions for post-quantum algorithms. Certificates are issued from our live PKI infrastructure using ML-DSA-65 (NIST Level 3).
Supported Algorithms
| Algorithm | Standard | Level | Status |
|---|---|---|---|
ECDSA P-256 | FIPS 186-5 | — | Available |
ECDSA P-384 | FIPS 186-5 | — | Available |
ECDSA P-521 | FIPS 186-5 | — | Available |
RSA 2048–4096 | FIPS 186-5 | — | Available |
Ed25519 | RFC 8032 | — | Available |
ML-DSA-44 | FIPS 204 | Level 2 | Available |
ML-DSA-65 | FIPS 204 | Level 3 | Default (PQC) |
ML-DSA-87 | FIPS 204 | Level 5 | Available |
Cryptographic Validation
| Classical crypto | FIPS 140-3 validated via aws-lc-rs (AWS-LC FIPS Module, NIST Certificate #4816, Level 1) |
| Post-quantum crypto | FIPS 204 specification-conformant (ML-DSA). Not yet FIPS 140-3 validated. |
| Trust model | Private CA. Not publicly trusted. Install QN CA Bundle. |
Validation Methods
http-01— HTTP challenge (place file at/.well-known/acme-challenge/)dns-01— DNS TXT record challengetls-alpn-01— TLS-ALPN challenge (RFC 8737, serve certificate on port 443)
ACME Client
Our standalone ACME client handles the full certificate lifecycle—account registration, domain validation, certificate issuance, and renewal. Built with post-quantum support from the ground up.
Features
- ML-DSA key generation and CSR creation
- Automatic challenge response (http-01, dns-01)
- Certificate renewal and revocation
- Works with Quantum Nexum ACME or other ACME CAs
Server Endpoints
| Endpoint | URL |
|---|---|
| Directory | https://acme.quantumnexum.com/directory |
| New Nonce | https://acme.quantumnexum.com/acme/new-nonce |
| New Account | https://acme.quantumnexum.com/acme/new-acct |
| New Order | https://acme.quantumnexum.com/acme/new-order |
| Revoke Cert | https://acme.quantumnexum.com/acme/revoke-cert |
| Key Change | https://acme.quantumnexum.com/acme/key-change |
Quick Start
Using certbot
# Register account
certbot register --server https://acme.quantumnexum.com/directory
# Request certificate
certbot certonly --standalone \
--server https://acme.quantumnexum.com/directory \
-d quantumnexum.comUsing SPORK CLI
# Register account
spork acme register \
--email admin@quantumnexum.com \
--server https://acme.quantumnexum.com/directory
# Order certificate
spork acme order quantumnexum.com www.quantumnexum.comTrust Chain
Certificates are issued by the Quantum Nexum TLS Issuing CA, chaining to our ML-DSA root. For browsers and clients to trust these certificates, install the CA Bundle.
Deployment Modes
| Mode | Description |
|---|---|
| Standalone 2-Tier | Root CA + Issuing CA |
| Standalone 3-Tier | Root CA + Policy CA + Issuing CA |
| Windows CA Subordinate | Issuing CA subordinate to existing AD CS root |
| Windows CA Bridge | Cross-certification with AD CS via WinRM |
| Import PFX | Import existing CA key material from PKCS#12 |
Rate Limits
| Limit | Value |
|---|---|
| Certificates per domain | 50 / week |
| Failed validations | 5 / hour |
| New registrations | 10 / hour per IP |
Additional protections may apply. Rate limits are subject to change.
Security
Report vulnerabilities to security@quantumnexum.com.
Questions? Contact pki@quantumnexum.com