An ACME Profile for Generating Delegated STAR Certificates

Document Type Replaced Internet-Draft (individual)
Authors Yaron Sheffer  , Diego Lopez  , Antonio Pastor  , Thomas Fossati 
Last updated 2018-11-13
Replaced by RFC 9115
Stream (None)
Intended RFC status (None)
Expired & archived
plain text xml pdf htmlized bibtex
Additional Resources
- GitHub Repository
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-acme-star-delegation
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This memo proposes a profile of the ACME protocol that allows the owner of an identifier (e.g., a domain name) to delegate to a third party access to a certificate associated with said identifier. A primary use case is that of a CDN (the third party) terminating TLS sessions on behalf of a content provider (the owner of a domain name). The presented mechanism allows the owner of the identifier to retain control over the delegation and revoke it at any time by cancelling the associated STAR certificate renewal with the ACME CA. Another key property of this mechanism is it does not require any modification to the deployed TLS ecosystem.


Yaron Sheffer (
Diego Lopez (
Antonio Pastor (
Thomas Fossati (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)