There is a new standard from IETF - ACME -- https://datatracker.ietf.org/doc/rfc8555/
Abstract
Public Key Infrastructure using X.509 (PKIX) certificates are used
for a number of purposes, the most significant of which is the
authentication of domain names. Thus, certification authorities
(CAs) in the Web PKI are trusted to verify that an applicant for a
certificate legitimately represents the domain name(s) in the
certificate. As of this writing, this verification is done through a
collection of ad hoc mechanisms. This document describes a protocol
that a CA and an applicant can use to automate the process of
verification and certificate issuance. The protocol also provides
facilities for other certificate management functions, such as
certificate revocation.
see an article Let's Encrypt ACME Protocol is now standardized by the IETF
The ACME protocol is the standardized variant of "Lets Encrypt" certificate issuance. This is NOT appropriate for healthcare use, as this model of certificate management is primarily intended to make the process of server identity proofing as fast as possible. The intended result is that more web servers would support TLS encryption, with the restriction that there is no authentication of the identity proofing.
This is very counter to the use of certificates and TLS in healthcare as recommended by IHE-ATNA profile. The ATNA profile specifically focuses on mutual-authentication using TLS to a locally known trusted authority. In this profile we explicitly explain that this model should NOT use the certificate store that is managed by web-browsers. This ACME model weakens even the web-browser certificate management.
I would recommend against any use of ACME for ATNA based secure node or secure application; and would recommend against use of ACME managed certificate for ANY healthcare traffic, even simple HTTP based traffic.
I would recommend against any use of ACME for ATNA based secure node or secure application; and would recommend against use of ACME managed certificate for ANY healthcare traffic, even simple HTTP based traffic.