[Acme] Questions on ACME Protocol: Wildcard Certificate Distribution & Certificate Pinning for Mobile Apps
Marin Mihajlović <Marin.Mihajlovic@asee.io> Fri, 10 April 2026 11:25 UTC
Return-Path: <Marin.Mihajlovic@asee.io>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0E15ED9668AF for <acme@mail2.ietf.org>; Fri, 10 Apr 2026 04:25:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775820333; bh=9WyGmC+cqXL3ekLivNVpbzYJELrV8UKbeT3UF+swbvw=; h=From:To:Subject:Date; b=Pgrmo6WM4dJlzyzGRZQqCUqYa6gP4aKMWscao8VftQCJqxD46zS1jgPcjm3jUPFjX 40PxlNwmBh5bWa1wsdy/sOfYuSLXTq7H3U03zo1mCVZrFsFh29y8zedhjWnItS9zXZ MVLB77yBIDImVjs55yPSo/+11khF8oPkdUMSUvUc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=assecoseero.onmicrosoft.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnQOCRILM_G6 for <acme@mail2.ietf.org>; Fri, 10 Apr 2026 04:25:32 -0700 (PDT)
Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazon11021140.outbound.protection.outlook.com [52.101.70.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id ED37CD96689F for <acme@ietf.org>; Fri, 10 Apr 2026 04:25:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=o5r/kEOOtnYPsORicdFy9IkvSVUtnFaYo+9CpF9JL065Af9xhvNOU2Z1yUhP6+tlGhcBgkxDqOubvdMF8dzT796xY/D6XgwN17xqzoXBkJaiDrPExnDQxMOVUpdFxfww6RglnTSayxDKCedFfBVVSW579lwLGT5V1sG8JAL81GHS/aBr0LqtudK6C8OAtDHA6iD8RYIpdzOf8p7P/0e9I/0Cyb4wEUzWNxnO/P1ZPCenE+CZbbai8+743Mr/JBjyfL1InBIzjTOuFTLkh9SCaH7n5TgLUy+LaKvEuFcMh6Tutx6Z78d7lP8UkqupzTic65WTYIpY4hKypReUTY2Tcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ac++CxAgbI/1oejeJk5Dmf1fin/dcmYHxg4edlPpQlY=; b=Jl5OEr5XlemuXbSlTCNcHDBsiNoTnIeb6j3cKAC4j2Ytievo9leewiApx1P8jYUFJx7s0/p5MP8qqy6nWMthq27rT/nf9ya/rzxQTnYLUWgdhFNG3h/LMbpqG9aIMXz9B1lMYYHU6OnqlHzm/cosOLYGSKI3RRx6SLldgKfIWcl0gEMfOowDHsIhTIHViAMmOOsU0vua7L46HMYU9lc6QverG0qdZZpvFEGl+bEEVAp2szuZJ7u22xx37ag1TcZ2d+yT9C+at4vIHtuSm5I6d50AUEjg628O2vj4GklXHMCcIN/2O6ZcG6/XU3h9GUqAUuBsNM07X8bPO9js0z5SMg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=asee.io; dmarc=pass action=none header.from=asee.io; dkim=pass header.d=asee.io; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=AssecoSEERO.onmicrosoft.com; s=selector2-AssecoSEERO-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ac++CxAgbI/1oejeJk5Dmf1fin/dcmYHxg4edlPpQlY=; b=sViSG6sLROGXtR8sg9/qh1wpC9ytiP0wQx+lE64h/fKInP1syIzNJMLAssbRTDPq5uGomK2LYZv6oWfRNCyiznr5bkUNCoDVDClCbsRpbkscTcnnOy3bMtRg6voDPPfIKH5Krad+W1oGx1kvVNO9nYdjRpbyYOSHe7opxKjdCG4=
Received: from AS1PR05MB9651.eurprd05.prod.outlook.com (2603:10a6:20b:477::15) by DB9PR05MB9527.eurprd05.prod.outlook.com (2603:10a6:10:302::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.42; Fri, 10 Apr 2026 11:25:22 +0000
Received: from AS1PR05MB9651.eurprd05.prod.outlook.com ([fe80::92b5:d196:c255:42f0]) by AS1PR05MB9651.eurprd05.prod.outlook.com ([fe80::92b5:d196:c255:42f0%6]) with mapi id 15.20.9769.020; Fri, 10 Apr 2026 11:25:22 +0000
From: Marin Mihajlović <Marin.Mihajlovic@asee.io>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Questions on ACME Protocol: Wildcard Certificate Distribution & Certificate Pinning for Mobile Apps
Thread-Index: AQHcyNoIO5pznEkm4kGft+pacYZwww==
Date: Fri, 10 Apr 2026 11:25:21 +0000
Message-ID: <AS1PR05MB96515D12FA2B11DCE4B2F79D8F592@AS1PR05MB9651.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=asee.io;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS1PR05MB9651:EE_|DB9PR05MB9527:EE_
x-ms-office365-filtering-correlation-id: 786dc43d-bb53-4e1c-5e9b-08de96f3da81
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|6049299003|19092799006|1800799024|38070700021|4053099003|13003099007|18002099003|56012099003|8096899003;
x-microsoft-antispam-message-info: rvvtxKBQRxSo1QKZdYviJMfoPGRpBxq/8+s2Tnx93BJTqky22bRxl5sToR40mztozjPtqucKDFzR6RxWRlED8TJVL/P6R3/n6QAiqrhl40wwGj97emXfDaTKQAUFe+t8wCM8DEwg9gZXAN9cfsl0otBi3i9Meh31/pUf/QP4SY4FoDo9bt4zqZKULHvJkzIKuBSIGontXcVHJ96hj7Luf/PTTHD5kSF/aX7beih0sl1VsC34oljjgcepZ0auAZN5pREw78W5GGpj/YmIJLZmb8icLWm9ec81CV1aBqoJSvLEYvLN6WuZA0y8Y3OazN7n9RiB3Y/Ok+sUswrfSfp3ot1cC4oqUJRswKkHYdlpEZX86Wn0Xp0NHFQMGHSWbnL4Rtq3PFdmHchkFyNm0pKlhbbE5d0JGJ+2HRKazWXinDZ4wi2DT9UsGsOUX+aTQhlgZn2Sf0X2crao78JBOZDJ1dgImrcLElCaDBMmfEuyDzmpatWsH/2ZnqG4ZQIk88Fo040m+2NP17OZCVENp+PSc/Jgf1yW8wZVwnjFnGkm/iB1ji80jrePgFAPB6TQOCZVIymZMPgM8I+/uU/cMZkg4HcPQ7pcbeq6r2RehjFtITMJwtRqMQ2388IBp6z04/huKtpQKNb3yfwbLZlLzYbLHlxQLugdZjH5IiZWRm05PyDWE3PBtls6TT+VzwLsNubKW5cW1sLM+RBI4QBiSWdzUtZOpVcN38Lqi+4czl2TmLOLT9CAkz6KWWLYGneanM69
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS1PR05MB9651.eurprd05.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(6049299003)(19092799006)(1800799024)(38070700021)(4053099003)(13003099007)(18002099003)(56012099003)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WrNH/8nPiaCSCkkOB/mThec3ebjWVxDCaO1S657reWEJ7oPlpxT61fNVssawQ8pQ0eyDv+R8ZzYQb9hxhL+YquCCvFR9S5BaPN0HtUtpHQOsP6eH38D+sj/ATfRGyNQRtX+IfSpiRx9eMh185MRhEucEMcpPsfT5Kr4s/LD2FBAv/TEtLazxt/4bKfaw5HMLzbuWTbwHG7yQL/GBKzSbumeB/TrfCR/0wZ1goomTGlYSZ/de6tMyM7J3FqD0ClDsv9DvXHhMGraBTWDhMGF1tcgmcnaTfmM3nKIURFz7RxtGyDGwr/MitdLWKQij8U9Yp52M3nGXMHHFYjT9dHoJ8fvYxbx7W1St2L0+TzNnnFiKGdYt6qnyivNNvvA5Ow8OZK6FVRo0M3m+Uhs5iPuClOjwOfVjgn3Hz65DmJqnvLfazSniMuPrvWOt39t5sZJuGGtVIjMfdKHRJjBX4tuFHlHDr/APVftdf+BejWqb8BJE/G1Mn4Xov2NuDI3B6WeZS9Bl5MK5hxGvXrFxnZSNjSt9rEeiCl7uhMmfxg9FHxDUZC8VXHJMxHq40fEbiQAL9wo2egPT3cAicVnVR9BgV7bdJ2Ni8paqcqlNtnXhSXpePl4KMAIRCxWt495Lg+kj68L5mqovEmdg3Mb6VrcOv+m+pXSL6eizTahVAiyiANH9rwXQic4O34A+s6YilHSYurr7mpOjUYn5kcro+DD7gfOEXPlQLkbc5MuluqX5IvFFmuiHuBE+mo9JytaKCfXkITi3u5zirurmz1Bj2Hb79GX1rgAQkRjEcNdyBj0CxDwaVmgfgf9nJhgunDJz+P4d7yJFlj5twbAsYimbRmdwHktyW9OvZvrzif52sPc8WRv/rgIlCs28FC0N3CfefmEZ4C9/e6Y6A0dRK2bnpV8qHd4l+Yhj2zPhBJuIPZeMV76L2Eh72REMU8wn++kYsy6B60V+iHQJRy/qLZBPXNFAqprL+1C8Q7wjcesMAdf1BwL0UfXFo5gwBQVYIO4GFJ1zZXlNlkTBcNJLhWp20xlsB0Auni2uCnoaJx0UWlZrO3Xyk7rvfNsTQeE15PdG25qN73REliAkoITToHnYdOZB7ez2pAU6xIxeHnE2qHhM/zkHRFrNIZmrR94lCqowslRAVQbDr4y6mc9sj1cFKdutoaXSYvPyPUtEee4x051422xA26xXGB7W2HoS8OymqiHcRr0earTvYYZvnmiihzbCFILesAS/MTJILNpG6hdHNaaH9YZ8dheXzLYF/yPxQDXtZSyR5eJJIhXOpL+hQ2CgZ6/kX8c6GaCgmnu3doWBOMgxpaiwDVXBc2wcaJdFCpHOnwq0TvPvjVb8U6h0uDahRyz9ekRzbNY/+HJ2vsW8l5j3I9lOQCfhs0l71yXONt3SPp7pcW85uHB6JGCO4QTD3ZwnMHGwla8w+eaMqiUrh6TVzDQJDLV9xVk/NFMN/dSTCjRboTXlH59myd9/KlQQADdT47LwGVOg6QL+kS6m2/JpEEoCCaJDN5SPUjEqfNseJT8a98NZOjoJILo5O0RI2UEL5ZRw5UGNfNGUH87YI8xxnQYUdqZhc4BlFVu9JVc5bCkV0xvOSHQfEIN8qup4vtxgHZA7Gs4oRsPlmMdOYep6r3diK818mJlQYwEMruTNU5fqT9liA9DHYv0HNnWsZg24UEWpNwmCbL8ofiXiSBh7zeZ4GAok+hzztGc1Bp9PLeTs93jwFJD4rXe48he+hA==
Content-Type: multipart/related; boundary="_006_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: asee.io
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS1PR05MB9651.eurprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 786dc43d-bb53-4e1c-5e9b-08de96f3da81
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2026 11:25:21.9736 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ddaad825-0556-4d4d-b64d-fb149c2e1bfa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kEzbkTFsn0jNbtT4b/7avlw/fA2EsBoDyxYBm9vnf7WL02fy9lnbrkV7dYf5RfNrDeKCepMdCb38YDGZyfnzO7kzITh/eJQxeCPyHbqs6xw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR05MB9527
Message-ID-Hash: 5BOMN3TM42OGCQ56M6JJI7K7T7KAMVG2
X-Message-ID-Hash: 5BOMN3TM42OGCQ56M6JJI7K7T7KAMVG2
X-MailFrom: Marin.Mihajlovic@asee.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Questions on ACME Protocol: Wildcard Certificate Distribution & Certificate Pinning for Mobile Apps
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Tss_k4dHsJNYNeKlJPSTKt9IgvE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Hello, I hope this message finds you well. I'm reaching out to the ACME Working Group with two questions regarding challenges we're facing in our certificate lifecycle management, and I'd appreciate any insights, recommendations, or pointers to existing work in this area. 1. Wildcard Certificate Distribution Across Multiple Servers We currently use the ACME protocol to automatically renew a wildcard certificate on a single server. However, the same certificate and private key are used for TLS termination on multiple servers. At the moment, we lack an automated mechanism to distribute the renewed certificate and private key to all other servers that depend on it. Does the working group have any recommendations or best practices for handling this scenario? Are there any existing extensions, draft proposals, or commonly adopted patterns within the ACME ecosystem that address automated distribution of certificates and private keys to multiple endpoints after renewal? 2. Certificate Pinning in Mobile Applications We maintain mobile applications that implement certificate pinning. Each time a certificate is renewed, we currently need to build and release a new version of the app with the updated pinned certificate. This creates an operational bottleneck and a window of potential service disruption. Is there any work being done within the ACME protocol or related specifications to help coordinate certificate renewal with certificate pinning scenarios? For example, mechanisms to pre-publish upcoming certificate details (such as public keys or SPKI hashes) ahead of the actual renewal, so that pinning configurations can be updated proactively? Any guidance, references to relevant RFCs or drafts, or practical experience the group can share would be greatly appreciated. Thank you for your time. Best regards, Marin Mihajlović Software Architect ASEE SOLUTIONS d.o.o. +385 95 5541 310 | marin.mihajlovic@asee.io<mailto:marin.mihajlovic@asee.io> asee<https://asee.io>.io<https://asee.io> [cid:5e89d7c5-74bd-4398-b67f-dcc94aca8bd2]<http://www.linkedin.com/company/asseco-south-eastern-europe> [cid:0a299aec-17a5-4f6f-a955-8c0ea3594a8e] <http://twitter.com/Asseco_SEE> [cid:e2600e21-2e65-4e18-8b2a-a2d6b0c35cc7] <https://www.facebook.com/Asseco-SEE-Hrvatska-310088196054642/>
- [Acme] Questions on ACME Protocol: Wildcard Certi… Marin Mihajlović
- [Acme] Re: Questions on ACME Protocol: Wildcard C… sebastian
- [Acme] Re: Questions on ACME Protocol: Wildcard C… Marin Mihajlović
- [Acme] Re: Questions on ACME Protocol: Wildcard C… sebastian
- [Acme] Re: Questions on ACME Protocol: Wildcard C… sebastian
- [Acme] Re: Questions on ACME Protocol: Wildcard C… Marin Mihajlović
- [Acme] Re: Questions on ACME Protocol: Wildcard C… sebastian
- [Acme] Re: Questions on ACME Protocol: Wildcard C… Aaron Gable
- [Acme] Re: Questions on ACME Protocol: Wildcard C… Sebastian Robin Nielsen
- [Acme] Re: Questions on ACME Protocol: Wildcard C… Marin Mihajlović