# letsencrypt/boulder **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/letsencrypt-boulder).** 5,654 stars · 637 forks · Go · mpl-2.0 ## Links - GitHub: https://github.com/letsencrypt/boulder - awesome-repositories: https://awesome-repositories.com/repository/letsencrypt-boulder.md ## Topics `acme` `boulder` `ca` `certificate-authority` `go` `lets-encrypt` `pki` `rfc8555` `tls` ## Description Boulder is a production-grade implementation of the ACME (Automated Certificate Management Environment) protocol, built around the same infrastructure that powers Let's Encrypt. It functions as a full certificate authority that automates the issuance, renewal, and revocation of TLS certificates, supporting multiple key algorithms including RSA, ECDSA, and experimental post-quantum ML-DSA keys. The project distinguishes itself through its multi-algorithm PKI hierarchy, which builds separate RSA and ECDSA root chains with cross-signing to support dual-algorithm trust paths. It includes a CRL-based revocation model that generates and publishes Certificate Revocation Lists to S3-compatible storage for offline revocation checking, and implements gRPC service authentication by issuing per-service certificates with multiple Subject Alternative Names for internal microservice communication. Private keys are managed through SoftHSM, a software PKCS#11 module that provides hardware-like security without requiring physical HSM hardware. Boulder provides a complete certificate lifecycle management system, handling domain ownership validation through automated challenges, certificate issuance, revocation processing, and CRL publishing. The project includes a local development CA that runs inside Docker containers for testing ACME client workflows against a real certificate authority, and generates test PKI hierarchies with deterministic key regeneration to avoid redundant creation across test runs. It also supports experimental post-quantum cryptography testing by generating ML-DSA keys and certificates for hybrid cryptographic readiness evaluation. ## Tags ### Security & Cryptography - [ACME Server Implementations](https://awesome-repositories.com/f/security-cryptography/acme-server-implementations.md) — Implements the ACME protocol server that acts as a certificate authority for automated certificate lifecycle management. - [TLS Certificate Management](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management.md) — Automates TLS certificate issuance by processing ACME client requests through domain validation and signing. ([source](https://cdn.jsdelivr.net/gh/letsencrypt/boulder@main/README.md)) - [gRPC Service Certificates](https://awesome-repositories.com/f/security-cryptography/api-access-security/mutual-tls-authentication/grpc-service-certificates.md) — Issues per-service certificates with multiple Subject Alternative Names for mutual TLS authentication in internal microservice communication. - [ACME Implementations](https://awesome-repositories.com/f/security-cryptography/certificate-authorities/acme-implementations.md) — Provides a full ACME protocol implementation for automated certificate issuance and management, powering Let's Encrypt. - [Multi-Algorithm Certificate Issuers](https://awesome-repositories.com/f/security-cryptography/certificate-issuance-utilities/multi-algorithm-certificate-issuers.md) — Issues X.509 certificates with support for RSA, ECDSA, and experimental ML-DSA key algorithms. - [Certificate Revocations](https://awesome-repositories.com/f/security-cryptography/certificate-revocations.md) — Processes revocation requests for issued certificates, updating status and publishing to certificate transparency logs. ([source](https://cdn.jsdelivr.net/gh/letsencrypt/boulder@main/README.md)) - [CRL Distributors](https://awesome-repositories.com/f/security-cryptography/certificate-revocations/crl-distributors.md) — Publishes and distributes Certificate Revocation Lists to enable offline revocation checking for issued certificates. - [CRL Publishers](https://awesome-repositories.com/f/security-cryptography/certificate-revocations/crl-publishers.md) — Generates and publishes Certificate Revocation Lists to S3-compatible storage for offline revocation checking. - [Multi-Algorithm Root Hierarchies](https://awesome-repositories.com/f/security-cryptography/cryptography/ssl-tls-certificate-management/certificate-authority-management/root-certificate-retrievals/multi-algorithm-root-hierarchies.md) — Builds separate RSA and ECDSA root chains with cross-signing to support dual-algorithm trust paths. - [Domain Validation Protocols](https://awesome-repositories.com/f/security-cryptography/domain-validation-protocols.md) — Verifies domain ownership through automated challenges before certificate issuance proceeds. ([source](https://cdn.jsdelivr.net/gh/letsencrypt/boulder@main/README.md)) - [S3-Compatible CRL Publishers](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management/certificate-revocation-validation/revocation-list-management/s3-compatible-crl-publishers.md) — Generates and publishes CRLs to an S3-compatible store so relying parties can check certificate revocation status. ([source](https://cdn.jsdelivr.net/gh/letsencrypt/boulder@main/README.md)) - [Multi-Algorithm Issuing Intermediates](https://awesome-repositories.com/f/security-cryptography/intermediate-certificate-authorities/multi-algorithm-issuing-intermediates.md) — Requires at least one RSA and one ECDSA issuing intermediate certificate for the certificate authority to operate. ([source](https://github.com/letsencrypt/boulder/wiki/Deployment-&-Implementation-Guide)) - [Software HSM Emulators](https://awesome-repositories.com/f/security-cryptography/key-management/hardware-backed-key-storage/software-hsm-emulators.md) — Stores private keys in a software PKCS#11 module for hardware-like security without physical HSM hardware. - [Multi-Algorithm PKI Hierarchies](https://awesome-repositories.com/f/security-cryptography/pki-management/multi-algorithm-pki-hierarchies.md) — Builds separate RSA and ECDSA root chains with cross-signing to support dual-algorithm trust paths. - [Public Key Infrastructure](https://awesome-repositories.com/f/security-cryptography/public-key-infrastructure.md) — Generates and manages certificate hierarchies including roots, intermediates, and cross-signed certificates for testing and production. - [Service-to-Service Certificate Authenticators](https://awesome-repositories.com/f/security-cryptography/authentication-services/service-to-service-certificate-authenticators.md) — Generates certificates for service-to-service authentication, including multi-name certificates for replicated services and internal auth. ([source](https://github.com/letsencrypt/boulder/blob/main/test/certs/README.md)) - [Internal Service Certificate Generators](https://awesome-repositories.com/f/security-cryptography/certificate-authorities/client-certificate-generators/internal-service-certificate-generators.md) — Creates per-service certificates with multiple names for gRPC authentication, plus certificates for DNS, Redis, and API TLS handlers. ([source](https://github.com/letsencrypt/boulder/blob/main/test/certs/README.md)) - [gRPC Service Certificate Generators](https://awesome-repositories.com/f/security-cryptography/grpc-security/grpc-and-http-tls-securings/grpc-service-certificate-generators.md) — Generates per-service certificates with multiple Subject Alternative Names for internal gRPC mutual TLS authentication. - [Test Certificate Generation](https://awesome-repositories.com/f/security-cryptography/identity-based-access-control/credential-based-access-controls/credential-testing-utilities/test-certificate-generation.md) — Generates collections of keys and certificates for integration tests, skipping regeneration if the directory already exists. ([source](https://github.com/letsencrypt/boulder/blob/main/test/certs/README.md)) - [Test Certificate Hierarchies](https://awesome-repositories.com/f/security-cryptography/identity-servers/certificate-trust-validation/test-certificate-hierarchies.md) — Creates RSA and ECDSA roots, intermediates, cross-signed certs, and CRLs for integration test end-entity certificates. ([source](https://github.com/letsencrypt/boulder/blob/main/test/certs/README.md)) - [SoftHSM Key Stores](https://awesome-repositories.com/f/security-cryptography/key-management-systems/softhsm-key-stores.md) — Stores private keys in a software PKCS#11 module for hardware-like security without physical HSM hardware. - [ML-DSA Key Generators](https://awesome-repositories.com/f/security-cryptography/post-quantum-cryptographic-operations/ml-dsa-key-generators.md) — Generates ML-DSA keys and certificates for testing hybrid or post-quantum cryptographic readiness. - [ML-DSA Certificate Generators](https://awesome-repositories.com/f/security-cryptography/post-quantum-cryptography/ml-dsa-certificate-generators.md) — Generates ML-DSA keys and certificates to test hybrid or post-quantum cryptographic readiness in certificate issuance.