Automated PKI Certificate Deployment with ACME

Seamless automation for SSL/TLS certificate management

Request a Demo

ACME: SSL Certificate management made simple – for everyone

Certificate management is a burden, but the stakes are highest when you’re managing publicly trusted SSL/TLS certificates. In that context – without ACME – a mistake means outages, downtime, lost revenue, lost productivity, even brand damage. With the number of certificates in use growing exponentially, managing them all has never been more complex.

It’s time to automate. Stop managing certificates manually, streamline and simplify it all with ACME. GlobalSign’s ACME Service is a powerful option for any organization – no matter how big or small – to improve their efficiency and security posture through automation.

Issue Certificates

Easily issue new SSL/TLS certificates
to any connected end-point

Install Certificates

No more manual installation it all happens silently behind the scenes

Replace Certificates

Whether you need to renew or revoke ACME can handle it in seconds

How does ACME work?

The ACME protocol automates certificate lifecycle management for SSL/TLS. ACME was originally designed by the Internet Security Research Group and is backed by the Electronic Frontier Foundation. It provides a framework for a client to communicate directly with a CA (Certificate Authority) to issue, install, revoke, and replace SSL certificates.

GlobalSign’s ACME Service gives customers the flexibility to use any ACME client that meets the defined specifications to interface directly with Atlas, GlobalSign’s next-generation Cloud Certificate Authority. Clients are generally open-source and are built for use on specific platforms or with specific operating systems.

Client is chosen based on organization’s needs; agents are installed on web servers

The agent is configured to contact Atlas and an Account key pair is created

Using the ACME account key, the agent requests, installs, and renews SSL/TLS certificates

Benefits of using ACME with GlobalSign

Using the ACME protocol to automate certificate management with GlobalSign has a myriad of benefits:

  • No more filling out CSRs and manually completing domain validations
  • No need to access the server to install new certificates and replace old ones
  • Eliminate human errors that lead to expirations and service outages
  • Save time and resources by eliminating tedious certificate management tasks
  • Receive full support and SLAs from a globally trusted Certificate Authority
  • Choose between OV and DV certificates issued by a globally trusted Certificate Authority

Certificate lifespans are only going to get shorter! In the last five years, maximum validity has dropped from three years to one.
That means more certificates being issued more often and more for your organization to manage. The time to start automating is now!

What is ACME Protocol?

Our (ACME) is a protocol that eliminates the need for manual intervention through automating the issuance and renewal of SSL/TLS certificates. An agent will be able to communicate with us and provide certificates for the complete automation of the key processes required to manage every SSL/TLS certificate on every endpoint in your organization.

After ACME is set up and configured, key lifecycle functions are scripted to take place behind the scenes. ACME explained - here’s why it is important:
  • Certificate validity and domain reuse periods have reduced from multiple years to one year and these are expected to decrease further.
  • Automation reduces the considerable burdens traditionally associated with large scale deployments and lifecycle management at the enterprise level.
  • ACME eliminates website outages due to expired or improperly configured certificates, along with the reputation and monetary impact on your enterprise.
  • Compliance requirements around connection security and other relevant areas are onerous, constantly changing and can cost organizations dearly if violated.

How ACME supports Certificate Lifecycle Management?

ACME’s certificate lifecycle management capabilities simplify certificate management and makes it more efficient for both users and Certificate Authority, specifically in:
  1. Certificate renewal – you can renew your certificate automatically and prevent website outages due to expired certificates.
  2. Certificate revocation – you can revoke your certificates when they are no longer needed or are compromised.
  3. Certificate information retrieval – you can retrieve certificate information, such as the expiration date and issuing Certificate Authority with ease.
  4. Multiple certificates management – you can easily manage large numbers of certificates for your websites.

How does ACME protocol work?

By leveraging ACME, organizations can streamline and automate otherwise time-consuming processes, such as CSR generation, domain ownership verification, certificate issuance, and installation.

Issuance/Renewal

The issuance/renewal process is simple:

  1. The agent sends an order request and digitally signs it with its account key pair.
  2. Our Atlas Certificate Authority sends a domain validation challenge to verify the agent is authorized to act on behalf of the server. Domain validation information can be reused for 397 days.
  3. The agent sends a response indicating it has responded to the authorization challenge, once again signing it with its account key pair. Atlas then verifies this.
  4. Following verification, the agent generates a CSR on behalf of its web server and sends it to Atlas after signing it with its account key pair.
  5. Atlas verifies the digital signature, and we issue the SSL/TLS certificate.
  6. The agent receives the certificate and installs/configures it on the server.
globalsign-how-does-acme-protocol-work-issuance-renewal
The revocation process also requires the following:
  1. The agent generates a revocation request on behalf of the server and digitally signs it with either the Account key or the private key of the SSL certificate you want revoked.
  2. Atlas verifies the digital signature.
  3. We revoke the certificate.
  4. We publish the revoked certificate to the required Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSPs).
globalsign-acme-certificate-revocation-process

Clients compatible with ACME

The beauty of ACME is you can find the right client regardless of server type.

Some of the most popular ACME clients are:
  • Certbot
  • ACMESharp
  • acme-client
  • Posh-ACME
  • Caddy
  • nginx ACME

How does validation work?

ACME validation works by verifying that the entity requesting the SSL/TLS certificate is authorized to use the domain name for which the certificate is being requested. Upon successful validation, a certificate is granted for the domain.

Domain Reuse Period

Domains validated via ACME can be reused for 397 days before they need to be revalidated.

Validation needed to use ACME

ACME validation is designed to be automated, which means that the entire process can be completed in a snap. This validation is done using one of these methods:
  1. HTTP Validation

    The HTTP domain validation method (http-01) relies on the ACME agent placing a random value at a specific location on the target website. Certbot does HTTP validation by default. Use the following code sample when registering your GlobalSign Atlas account with Certbot and requesting a certificate using the HTTP validation method in one command.

    certbot certonly --webroot -w <YOUR DOMAIN ROOT FOLDER ADDRESS> -d <YOURDOMAIN.COM> -n --agree-tos --eab-kid <YOUR-API-KEY> --eab-hmac-key <YOUR-MAC-KEY> -m <YOUR@EMAIL.COM> --server https://emea.acme.atlas.globalsign.com/directory

    If your Atlas account has already been registered in your Certbot client then you can use the following code sample to request a certificate using the HTTP validation method.

    certbot certonly --webroot -w <YOUR DOMAIN ROOT FOLDER ADDRESS> -d <YOURDOMAIN.COM> --server https://emea.acme.atlas.globalsign.com/directory

    If you wish to issue a certificate via CSR, please generate a CSR with a SHA-256, SHA384, or SHA-512 hashing algorithm.

    If you want to validate a wildcard SAN, then you must use the DNS method since the HTTP method is prohibited from being used for issuance of wildcard certificates per the CA/Browser Forum baseline requirements.

  2. DNS Validation

    The DNS validation method (dns-01) requests the GlobalSign ACME server to check the DNS TXT record on your website. When you make this request, you will receive a token which must be uploaded to your website’s DNS TXT record. Certbot automatically selects the HTTP validation method for all domain validations, so you need to specify in this command to use the DNS validation method. The command used will depend on the way your ACME client is configured

    Note: DNS validation requires manual configuration or needs additional plugins, for more information please visit https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins

  3. Other Domain Validation Methods

    The GlobalSign Atlas platform supports several other domain validation methods which can be used to validate domains to the specified identity profile and then subsequently used by ACME. For more information, refer to our Atlas API guide.

Tell us your use case and we'll tell you how ACME can help.

Let’s automate your certificates with GlobalSign’s ACME Solution. Talk to us!

See how ACME makes certificate management easy:

  • Install
  • Issue
  • Replace

...in a SNAP!