With the proposal of shortening SSL / TLS certificate lifespans and the prospect of spending cuts within the tech and cybersecurity industries, IT teams are under growing pressure to ensure security within enterprises. IT teams are turning to automation solutions to meet these growing demands within enterprise cybersecurity, the ACME protocol being one such solution.
The Automatic Certificate Management Environment (ACME) protocol is a tool used for certificate automation, saving time and department resources as well as eliminating the risk of human error and plugging gaps in enterprise security. Without it, certificates may become misplaced or overlooked, resulting in their expiration; ACME can help to alleviate this strain on IT teams.
Let’s take a deeper look into the ACME protocol, what it is, and how enterprises are utilizing it to manage security.
What is the Automatic Certificate Management Environment (ACME) Protocol?
ACME is a protocol that facilitates communication between Certificate Authorities (CAs) and an ACME client that runs on a user's server to automate certificate issuance, revocation and renewal.
Users implement an authorized agent, such as Certbot, to interface with the CA and manage their Certificate Signing Requests (CSRs) so that certificate issuance and renewal is managed in the background, without human intervention, leaving IT teams to focus on other areas of security.
ACME was created as an approach to managing shrinking SSL/TLS certificate lifespans, supplying 90-day-certificates free of charge. Since then, Certificate Authorities (CAs) have adopted the ACME Protocol to manage a more comprehensive inventory of certificates.
How Does ACME Work?
Users implement a certificate management agent, or client, to interface with a CA platform (Server). To do this, the agent generates a key pair that is validated by the CA. Once the key pair is validated, the agent has the authority to manage CSRs, sending them to CA certificate management platforms, like Atlas. The certificate is then issued back to the agent which then installs it and notifies the user.
Key Features of ACME
Employing ACME as part of your security posture offers a much more functional approach to cybersecurity than traditional methods like organizing your certificate inventory in a number of spreadsheets and manually creating CSRs.
- Scalability: ACME allows for the user to handle certificates in bulk, meaning that large numbers of multiple types of certificates can be issued, renewed and revoked simultaneously.
- Service Level Agreements (SLAs): Unlike free-to-use, crowdsourced ACME services, providers such as GlobalSign offer support at every stage of implementation and beyond, so you can ensure high-level, automated security.
- Private Key Handling: ACME allows enterprises to manage their own key security instead of employing a third party to do this for them.
Simply maintaining your certificate inventory within a spreadsheet exposes servers and domains to vulnerabilities that can be exploited by bad actors, through misplacing certificates or failing to renew them before their expiration date because they are being kept on an odious, manual system.
Using ACME provides many features that can reduce the pressure and weight of certificate management for IT teams in enterprises.
What are the Benefits of Implementing ACME?
- Greater security: Implementing ACME removes the risk that human error poses. With ACME, your certificates are stored in a centralized inventory and cannot be misplaced or overlooked, unlike when they are stored within a spreadsheet. This greatly reduces the risk of missed expired certificates, and the potential downtime and breaches that could follow.
- Speed and automation: Implementing ACME does not take long; and once it is set up, the issuance, renewal and revocation of certificates occurs automatically in a matter of seconds, without any need for engaging manually at any point, leaving IT teams to focus on other security needs.
- Simplified approach to certificate management: ACME greatly simplifies what is usually an area of complex manual processes for IT teams, so that they barely have to handle CSRs at all, and what’s more is that the implementation process is also fairly simple.
- CA agility: ACME offers agility between Certificate Authorities (CAs), meaning that if you do require the use of more than one CA for your certificate needs, you are able to switch between them without being locked into one CA and limited certificate provision, offering you a broader security posture. In this instance, it is best to add one CA as a primary, trusted service, such as GlobalSign, to communicate with other CAs when needed.
Use Cases for ACME
- Domain Validation (DV) Certificates: At a basic level, ACME can create CSRs for DV certificates. This is the minimum verification required for proof of ownership over a domain or server and requires no vetting.
- Organization Validation (OV) Certificates: Organization Validated certificates are validated with a more exhaustive level of vetting than a basic DV certificate and provide more comprehensive authentication for enterprises and organizations. GlobalSign offers support for ACME OV Certificates.
- DevSecOps: Intensive security processes are essential at every stage of the DevOps pipeline, and as such, engineers are required to keep on top of all their certificates with no room for error. The speed ACME is able to manage certificates means that engineers do not have to spend time worrying about security risks and focus on other tasks.
How to Implement the ACME Protocol
Select and install an agent
First the user must select an agent. There are many to choose from that support many different environments and operating systems, something to consider when you are choosing your agent. It is also important to consider the types of certificates you want to manage – many ACME agents support the issuance and renewal of Domain Validated (DV) and Organization Validated (OV) certificates without manual intervention.
The user will need to set up a certificate management account, such as Atlas, in order for the agent to be able to communicate with the CA, so it is important to select an agent that supports this.
It is essential to be aware of the types of certificates you are looking to manage and how high value they are to ensure you are meeting all of your security needs. Once chosen, the ACME agent is ready to be installed on the server where certificates are being deployed.
2. Select a Certificate Authority (CA)
During installation, the agent creates a list of supported CAs for the client to choose from. When selecting the CA, it is important to make sure that the CA supports the types of certificates required by the server or domain. This should also be the same CA that the user has already appointed for their certificate management account.
When selected, the agent will generate a key pair comprised of a public and private key and contact the CA. The private key will later be used by the agent to verify its authority to manage Certificate Signing Requests (CSRs).
The selected CA will then verify the agent’s authority over the client domain(s) by issuing challenges. The final of these challenges will be a nonce generated by the CA. A nonce is a randomly generated number that the CA sends to the agent, which it will then sign with its private key, completing the verification process.
In addition, External Account Bindings (EAB) are required to link your ACME account with an external account, in this instance a CA’s server. EABs add an additional level of security when automating certificate management processes for machines and services as it prevents any non-linked ACME clients to provision certificates from your selected CA. When setting up your ACME server to require EAB, only your selected ACME clients with valid EAB credentials would be able to be linked to the ACME server (Atlas in this instance), and obtain certificates.
4. Manage your Certificate Signing Requests
The ACME agent will now be able to send CSRs for the issuance, renewal and revocation of certificates in seconds, without human involvement. The server will generate the CSR with the agent, either for the issuance or renewal of a certificate on behalf of the validated domain using the key pair.
The CSR is then sent on to the CA, which will verify the key signatures, and issue the certificate returning it to the agent.
In the case of revocation, the request will be signed again with the key pair, like with issuance or renewal, and sent onto the CA which will then validate it. The CA will publish the revocation information through a Certificate Revocation List (CRL) so that the revoked certificate can no longer be accepted by the browser.
Why IT Teams and Enterprises Should Implement ACME
Automation is increasingly becoming a necessity for enterprises with the contemporary problems that cybersecurity professionals are facing, including shrinking certificate lifespans and shrinking budgets for IT teams. There are a number of automation solutions out there, with various roles in cybersecurity and Certificate Lifecycle Management (CLM).
ACME is a protocol that was created to alleviate many of these pressures faced by cybersecurity professionals by automating and organizing certificate management processes. Implementing an agent to communicate with a CA via a certificate management platform, removes much of the pressure placed on IT teams to constantly monitor the hundreds of certificates used in organization security.
As well as removing these pressures, ACME also comes at a minimal cost and saves significantly on resources and losses from security breaches. ACME is quick, scalable, demands less time and resource, while strengthening business security.