Boulder is a production-grade implementation of the ACME (Automated Certificate Management Environment) protocol, built around the same infrastructure that powers Let's Encrypt. It functions as a full certificate authority that automates the issuance, renewal, and revocation of TLS certificates, supporting multiple key algorithms including RSA, ECDSA, and experimental post-quantum ML-DSA keys.
The project distinguishes itself through its multi-algorithm PKI hierarchy, which builds separate RSA and ECDSA root chains with cross-signing to support dual-algorithm trust paths. It includes a CRL-based revocation model that generates and publishes Certificate Revocation Lists to S3-compatible storage for offline revocation checking, and implements gRPC service authentication by issuing per-service certificates with multiple Subject Alternative Names for internal microservice communication. Private keys are managed through SoftHSM, a software PKCS#11 module that provides hardware-like security without requiring physical HSM hardware.
Boulder provides a complete certificate lifecycle management system, handling domain ownership validation through automated challenges, certificate issuance, revocation processing, and CRL publishing. The project includes a local development CA that runs inside Docker containers for testing ACME client workflows against a real certificate authority, and generates test PKI hierarchies with deterministic key regeneration to avoid redundant creation across test runs. It also supports experimental post-quantum cryptography testing by generating ML-DSA keys and certificates for hybrid cryptographic readiness evaluation.
