diff --git a/base/acme/src/main/java/org/dogtagpki/acme/database/LDAPDatabase.java b/base/acme/src/main/java/org/dogtagpki/acme/database/LDAPDatabase.java
index 30182726eba..ef9333cae62 100644
--- a/base/acme/src/main/java/org/dogtagpki/acme/database/LDAPDatabase.java
+++ b/base/acme/src/main/java/org/dogtagpki/acme/database/LDAPDatabase.java
@@ -778,6 +778,10 @@ public void addAuthorization(ACMEAuthorization authorization) throws Exception {
                         + "," + RDN_AUTHORIZATION + "," + baseDN;
         LDAPEntry entry = new LDAPEntry(dn, attrSet);
         ldapAdd(entry);
+
+        for (ACMEChallenge challenge : authorization.getChallenges()) {
+            addChallenge(authorization.getAccountID(), challenge);
+        }
     }
 
     public void addChallenge(String accountID, ACMEChallenge challenge)
diff --git a/base/acme/src/main/java/org/dogtagpki/acme/server/ACMEAuthorizationService.java b/base/acme/src/main/java/org/dogtagpki/acme/server/ACMEAuthorizationService.java
index 741a68cf822..8128c3589cf 100644
--- a/base/acme/src/main/java/org/dogtagpki/acme/server/ACMEAuthorizationService.java
+++ b/base/acme/src/main/java/org/dogtagpki/acme/server/ACMEAuthorizationService.java
@@ -6,8 +6,6 @@
 package org.dogtagpki.acme.server;
 
 import java.net.URI;
-import java.security.SecureRandom;
-import java.util.ArrayList;
 import java.util.Collection;
 
 import javax.ws.rs.POST;
@@ -20,14 +18,12 @@
 import javax.ws.rs.core.Response.ResponseBuilder;
 import javax.ws.rs.core.UriInfo;
 
-import org.apache.commons.codec.binary.Base64;
 import org.dogtagpki.acme.ACMEAccount;
 import org.dogtagpki.acme.ACMEAuthorization;
 import org.dogtagpki.acme.ACMEChallenge;
 import org.dogtagpki.acme.ACMEHeader;
 import org.dogtagpki.acme.ACMENonce;
 import org.dogtagpki.acme.JWS;
-import org.dogtagpki.acme.validator.ACMEValidator;
 
 /**
  * @author Endi S. Dewata
@@ -69,30 +65,8 @@ public Response handlePOST(@PathParam("id") String authzID, JWS jws) throws Exce
         String authorizationStatus = authorization.getStatus();
         logger.info("Authorization status: " + authorizationStatus);
 
-        // generate 128-bit token with JSS
-        // TODO: make it configurable
-
-        byte[] bytes = new byte[16];
-        SecureRandom random = SecureRandom.getInstance("pkcs11prng", "Mozilla-JSS");
-        random.nextBytes(bytes);
-        String token = Base64.encodeBase64URLSafeString(bytes);
-        logger.info("Token: " + token);
-
         Collection<ACMEChallenge> challenges = authorization.getChallenges();
 
-        if (challenges == null || challenges.size() <= 0) {
-            logger.info("Creating new challenges");
-            challenges = new ArrayList<>();
-
-            for (ACMEValidator validator : engine.getValidators()) {
-                ACMEChallenge challenge = validator.createChallenge(authzID, token);
-                challenges.add(challenge);
-            }
-
-            authorization.setChallenges(challenges);
-            engine.updateAuthorization(account, authorization);
-        }
-
         logger.info("Challenges:");
         for (ACMEChallenge challenge : challenges) {
             logger.info("- " + challenge.getType() + ": " + challenge.getStatus());
diff --git a/base/acme/src/main/java/org/dogtagpki/acme/server/ACMENewOrderService.java b/base/acme/src/main/java/org/dogtagpki/acme/server/ACMENewOrderService.java
index 83d22887437..54c1bdc2cf4 100644
--- a/base/acme/src/main/java/org/dogtagpki/acme/server/ACMENewOrderService.java
+++ b/base/acme/src/main/java/org/dogtagpki/acme/server/ACMENewOrderService.java
@@ -6,7 +6,9 @@
 package org.dogtagpki.acme.server;
 
 import java.net.URI;
+import java.security.SecureRandom;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Date;
 
 import javax.ws.rs.POST;
@@ -18,14 +20,17 @@
 import javax.ws.rs.core.Response.ResponseBuilder;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.commons.codec.binary.Base64;
 import org.dogtagpki.acme.ACMEAccount;
 import org.dogtagpki.acme.ACMEAuthorization;
+import org.dogtagpki.acme.ACMEChallenge;
 import org.dogtagpki.acme.ACMEHeader;
 import org.dogtagpki.acme.ACMEIdentifier;
 import org.dogtagpki.acme.ACMENonce;
 import org.dogtagpki.acme.ACMEOrder;
 import org.dogtagpki.acme.JWS;
 import org.dogtagpki.acme.ValidationResult;
+import org.dogtagpki.acme.validator.ACMEValidator;
 
 /**
  * @author Endi S. Dewata
@@ -67,6 +72,15 @@ public Response createNewOrder(JWS jws) throws Exception {
         ACMEOrder request = ACMEOrder.fromJSON(payload);
         ArrayList<String> authzIDs = new ArrayList<>();
 
+        // generate 128-bit token for authorization challenges
+        // TODO: make it configurable
+
+        byte[] bytes = new byte[16];
+        SecureRandom random = SecureRandom.getInstance("pkcs11prng", "Mozilla-JSS");
+        random.nextBytes(bytes);
+        String token = Base64.encodeBase64URLSafeString(bytes);
+        logger.info("Token: " + token);
+
         logger.info("Generating authorization for each identifiers");
         for (ACMEIdentifier identifier : request.getIdentifiers()) {
 
@@ -114,6 +128,16 @@ public Response createNewOrder(JWS jws) throws Exception {
             authorization.setIdentifier(identifier);
             authorization.setWildcard(wildcard);
 
+            Collection<ACMEChallenge> challenges = new ArrayList<>();
+
+            for (ACMEValidator validator : engine.getValidators()) {
+                ACMEChallenge challenge = validator.createChallenge(authzID, token);
+                logger.info("  - challenge ID: " + challenge.getID());
+                challenges.add(challenge);
+            }
+
+            authorization.setChallenges(challenges);
+
             authorization.setStatus("pending");
 
             Date expirationTime = engine.getPolicy().getPendingAuthorizationExpirationTime(currentTime);