# ACMECertificate The payload that configures Automated Certificate Management Environment (ACME) settings. ``` object ACMECertificate ``` ## Discussion Specify `com.apple.security.acme` as the payload type. Use this payload to specify how the device requests a client certificate from an Automated Certificate Management Environment (ACME) server. Other payloads can reference the resulting client identity by the payload’s `PayloadUUID`. First the device generates an asymmetric key pair based upon the `KeyType`, `KeySize`, and `HardwareBound` fields. Then the device communicates with the ACME server. It requests a new order using the `ClientIdentifier` as the `permanent-identifier`. The ACME server responds with a challenge type of `device-attest-01`. If `Attest` is `true` the device requests an attestation of the key and device properties. Then it replies to the challenge with a WebAuthn attestation statement, and this contains the attestation if the device obtained one. The device submits a certificate signing request matching the key and containing the `ClientIdentifier`, `Subject`, `SubjectAltName`, `UsageFlags`, and `ExtendedKeyUsage` fields. The ACME server issues a certificate, and the device stores the resulting identity. For details on the content of the attestation provided to the ACME server, see the documentation of the `DevicePropertiesAttestation` key in the [`DeviceInformationResponse.QueryResponses`](/documentation/DeviceManagement/DeviceInformationResponse/QueryResponses-data.dictionary)response. In the attestation certificate the value of the freshness code OID is the SHA-256 hash of the `token` from the `device-attest-01` challenge. ### ACME attestation hardware support The following table indicates which System on Chips (SoCs) support ACME attestation. If the Attest key is false or ignored, the ACME server does not receive an attestation. |Attest key support|iPhone, iPad |Mac |Apple TV |Apple Watch |Vision Pro| |------------------|------------------------------------|--------------|-----------------------|--------------|----------| |Must be false |none |T1 and earlier|none |none |none | |Ignored |A10x Fusion and earlier |T2 |A10x Fusion and earlier|S3 and earlier|none | |Supported |A11 Bionic and later
All M series|Apple silicon |A12 Bionic and later |S4 and later |All | ### Profile availability ||| |--------------------------|------------------------------------------------| |Device channel |iOS, macOS, Shared iPad, tvOS, visionOS, watchOS| |User channel |macOS | |Allow manual install |iOS, macOS, tvOS, visionOS, watchOS | |Requires supervision |N/A | |Requires user-approved MDM|N/A | |Allowed in user enrollment|iOS, macOS, visionOS | |Allow multiple payloads |iOS, macOS, Shared iPad, tvOS, visionOS, watchOS| ### Example Profile ```plist PayloadContent ClientIdentifier this is an identifier ExtendedKeyUsage 1.3.6.1.5.5.7.3.2 HardwareBound KeySize 384 KeyType ECSECPrimeRandom UsageFlags 5 PayloadIdentifier com.example.myacmepayload PayloadType com.apple.security.acme PayloadUUID cbdc6238-feec-4171-878d-34e576bbb813 PayloadVersion 1 Subject C US O Example Inc. 1.2.840.113635.100.6.99999.99999 test custom OID value SubjectAltName dNSName site.example.com DirectoryURL https://acme.example.com/acme PayloadDisplayName ACME PayloadIdentifier com.example.myprofile PayloadType Configuration PayloadUUID ce876f81-abf0-46f9-9e68-9b3a7ede8097 PayloadVersion 1 ``` ## Topics ### Objects [`ACMECertificate.SubjectAltName`](/documentation/DeviceManagement/ACMECertificate/SubjectAltName-data.dictionary) The subject’s alternative name details. --- Copyright © 2026 Apple Inc. All rights reserved. | [Terms of Use](https://www.apple.com/legal/internet-services/terms/site.html) | [Privacy Policy](https://www.apple.com/privacy/privacy-policy)