ACME Coming Soon
Automatic Certificate Management Environment for post-quantum certificates. Issue ML-DSA certificates using standard ACME protocol.
Under Development — The ACME server endpoints are not yet operational. This page documents the planned implementation. Check back for updates.
ACME Server
RFC 8555-compliant ACME server issuing ML-DSA (FIPS 204) certificates from the Quantum Nexum PKI hierarchy.
ACME Client
Standalone client for requesting post-quantum certificates. Works with our server or any ACME-compatible CA.
ACME Server
The Quantum Nexum ACME server implements RFC 8555 (ACME protocol) with extensions for post-quantum algorithms. Certificates are issued from our live PKI infrastructure using ML-DSA-65 (NIST Level 3).
Supported Algorithms
| Algorithm | Standard | Security Level | Status |
|---|---|---|---|
ML-DSA-65 | FIPS 204 | NIST Level 3 | Default |
ML-DSA-44 | FIPS 204 | NIST Level 2 | Available |
ML-DSA-87 | FIPS 204 | NIST Level 5 | Available |
Validation Methods
http-01— HTTP challenge (place file at/.well-known/acme-challenge/)dns-01— DNS TXT record challenge
ACME Client
Our standalone ACME client handles the full certificate lifecycle—account registration, domain validation, certificate issuance, and renewal. Built with post-quantum support from the ground up.
Features
- ML-DSA key generation and CSR creation
- Automatic challenge response (http-01, dns-01)
- Certificate renewal and revocation
- Works with Quantum Nexum ACME or other ACME CAs
Server Endpoints
| Endpoint | URL |
|---|---|
| Directory | https://acme.quantumnexum.com/directory |
| New Nonce | https://acme.quantumnexum.com/acme/new-nonce |
| New Account | https://acme.quantumnexum.com/acme/new-acct |
| New Order | https://acme.quantumnexum.com/acme/new-order |
| Revoke Cert | https://acme.quantumnexum.com/acme/revoke-cert |
| Key Change | https://acme.quantumnexum.com/acme/key-change |
Quick Start
Using certbot (with PQC support)
# Register account
certbot register --server https://acme.quantumnexum.com/directory
# Request certificate
certbot certonly --standalone \
--server https://acme.quantumnexum.com/directory \
-d example.comUsing curl (manual)
# Get directory
curl https://acme.quantumnexum.com/directory
# Response
{
"newNonce": "https://acme.quantumnexum.com/acme/new-nonce",
"newAccount": "https://acme.quantumnexum.com/acme/new-acct",
"newOrder": "https://acme.quantumnexum.com/acme/new-order",
"revokeCert": "https://acme.quantumnexum.com/acme/revoke-cert",
"keyChange": "https://acme.quantumnexum.com/acme/key-change"
}Trust Chain
Certificates are issued by the Quantum Nexum TLS Issuing CA, chaining to our ML-DSA root. For browsers and clients to trust these certificates, install the CA Bundle.
Rate Limits
| Limit | Value |
|---|---|
| Certificates per domain | 50 / week |
| Failed validations | 5 / hour |
| New registrations | 10 / hour per IP |
Questions? Contact pki@quantumnexum.com