github
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh
1
0
Fork 0
Code Issues Releases Wiki Activity
Page: Profile selection
Pages
Blogs and tutorials BuyPass.com CA CA Change of default CA to ZeroSSL Code of conduct DNS API Dev Guide DNS API Structural Info description DNS API Test DNS alias mode DNS manual mode Deploy ssl certs to apache server Deploy ssl certs to nginx Deploy ssl to SolusVM Donate list Enable acme.sh log Exit Codes Explicitly use DOH Google Public CA Google Trust Services CA Home How to debug acme.sh How to install How to issue a cert How to run on DD WRT with lighttpd How to run on OpenWrt How to use Amazon Route53 API How to use Azure DNS How to use OVH domain api How to use Oracle Cloud Infrastructure DNS How to use lexicon DNS API How to use on Solaris based operating sytsems How to use on embedded FreeBSD Install in China Install preparations Issue a cert from existing CSR OVH Success Options and Params Preferred Chain Profile selection Run acme.sh in docker SSL.com CA Server Simple guide to add TLS cert to cpanel Stateless Mode Synology NAS Guide Synology RT1900ac and RT2600ac install guide TLS ALPN without downtime Usage on Tomato routers Use DNS Exit DNS API Using pre hook post hook renew hook reloadcmd Using systemd units instead of cron Utilize multiple DNS API keys Validity ZeroSSL.com CA _Footer_ deploy to docker containers deployhooks dnsapi dnsapi2 dnscheck dnssleep how about the private key access modes, chmod, or chown or umask ipcert notify openvpn2.4.7服务端和客户端使用注意 revokecert sudo tlsa next key 如何安装 说明
1 Profile selection
Jens Spanier edited this page 2025-09-22 12:01:08 +02:00
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

Starting with recent CA developments, some Certificate Authorities (CAs) now support issuing certificates under different profiles.
These profiles may differ in terms of validation rules, supported features, or certificate lifetime.

For example, Lets Encrypt provides multiple certificate profiles that define validity periods and capabilities.

Usage

You can select the certificate profile during issuance with the --cert-profile parameter:

acme.sh --issue -d example.com --cert-profile <profile-name>

Example (Lets Encrypt)

acme.sh --issue --server letsencrypt -d example.com -w /home/username/public_html --cert-profile tlsserver

This will request a certificate using Lets Encrypts tlsserver profile.

Important: Certificate Lifetime and --days

Some profiles may reduce the validity period of the certificate (e.g. 160 hours lifetimes instead of 90 days).

When using such profiles, you should also set the --days parameter to ensure that acme.sh renews the certificate early enough:

acme.sh --issue --server letsencrypt -d 203.0.113.195 -w /home/username/public_html --certificate-profile shortlived --days 6

Notes

  • The available profile names depend on the selected CA.
  • If you do not specify --cert-profile, the default profile is used.
  • Always check your CAs documentation for supported profile names and their characteristics.