ACMEv2 support

django-ca has preliminary ACMEv2 support that allows you to retrieve certificates via certbot or other standard ACME clients.


Support for ACME is still in development and must be explicitly activated. Some features are not yet implemented. Use this feature only with the necessary caution.

ACME support will be enabled by default starting with django-ca=1.22.0.


To enable ACME support, simply set CA_ENABLE_ACME=True in your settings.

There are some more settings for ACMEv2 support, please see ACMEv2 settings for more information.

You must enable ACME for each CA individually, either in the admin interface or via the edit_ca management command.

Enable ACMEv2 for a CA

Additionally to setting CA_ENABLE_ACME=True, a CA can only be used for issuing certificates via ACMEv2 if explicitly enabled.

You have to enable the feature for every CA individually. You an do so either in the admin interface or via the command line when creating a CA or editing it:

$ python init_ca --acme-enable ...
$ python edit_ca --acme-enable ...
$ python edit_ca --acme-disable ...

Known limitations

ACMEv2 support is preliminary, known to be incomplete and may contain critical bugs. But at least basic certificate issuance is working.

The following things are known to not yet work:

  • Pre-Authorization for certificates

  • External account bindings

  • CAA validation (django-ca will happily issue certificates for etc.)

  • Wildcard certificates


You can retrieve a certificate via ACMEv2 by telling your client to use our CA. For example, if you have your CA at, you can get a certificate with certbot like this:

$ certbot register --agree-tos -m \
>     --server
$ certbot certonly --standalone \
>     --server
>     -d

Multiple CAs

If you want to enable ACMEv2 for multiple CAs, you can append the serial of your CA to your directory URL to explicitly name the CA you want to use:

$ python ca/ list_cas
10:65:9E:... - child
6C:16:EF:... - root

# Enable ACMEv2 for both CAs:
$ python ca/ edit_ca --acme-enable 10:65:9E:...
$ python ca/ edit_ca --acme-enable 6C:16:EF:...

# Default directory URL will point to default CA:
$ curl -qs | jq -r .newAccount

# But you can also explicitly name serial in directory URL:
$ curl -qs | jq .newAccount
$ curl -qs | jq .newAccount

The default CA used is determined by the CA_DEFAULT_CA setting and the algorithm described there.