GlobalSign Blog

ACME: Introducing GlobalSign’s Automated Certificate Management Environment

ACME: Introducing GlobalSign’s Automated Certificate Management Environment

A lightweight, convenient way to manage the SSL/TLS lifecycle

The ACME protocol, or the Automated Certificate Management Environment, is a protocol for automating the enrollment for SSL/TLS certificates and their issuance and installation.

Originally created by the Internet Security Research Group (ISRG) and standardized as RFC 8555. It was popularized by Let’s Encrypt – the free, open-source Certificate Authority (CA). With the release of ACME v2, the protocol’s functionality has increased and now GlobalSign is beginning to leverage it for its ease of use and convenience.

After a period of beta testing, we’re happy to release the first iteration of our ACME Service, which will provision Domain Validated (DV) SSL/TLS certificates for our customers. This represents a great first step towards automating SSL/TLS lifecycles and breaking into larger automation strategies for managing your entire Public Key Infrastructure (PKI).

issue-install-replace;-ssl-tls-certificate-management

Why ACME?

Have you ever installed an SSL/TLS certificate before? Without automation, it’s a tedious process. You have to create a Certificate Signing Request (CSR), which means generating one server-side and then copy/pasting it into a field for your CA. After that you have to perform manual domain validation, generally by updating your website or DNS record with a value provided by the Certificate Authority (CA). Then you have to wait for the certificate to be issued, get the certificate on to the server it’s being installed on, install it and make sure everything is configured properly. For a single website this can take upward of 40 minutes. At scale, it can consume considerable time and resources.

ACME changes that. Using ACME protocol enables you to provision SSL/TLS certificates for any server with an ACME agent installed on it, including non-Microsoft machines. After installing and configuring the ACME agent, GlobalSign’s ACME Service will do the rest – everything from the CSR generation to the domain validation to installing the certificate for you. All silently, behind the scenes.

OK, but why GlobalSign’s ACME Service?

Let’s Encrypt is great. They’re the ACME originators and provide an invaluable service to the rest of the internet. But enterprises and service providers have diverse needs. They’re looking to provision certificates en masse, so free 90-day certificates are less useful than having support, service level agreements (SLAs) and the ability to issue longer validity certificates.

And that’s what differentiates GlobalSign, whereas using a free service requires you to sift through forums for what is essentially crowd-sourced support and to operate without SLAs – with us you don’t have to worry about that. Plus, it’s powered by Atlas, our next-generation High Volume cloud CA, delivering incredible throughput and 24/7 availability.

With GlobalSign you’re getting a globally trusted certificate authority and EU trust services provider with over 25 years of experience in this industry. We don’t change hands between venture capital firms, we aren’t obsessed with our valuation (and our pricing reflects that), and we don’t have a hand in several other lines of business. PKI is what we do, it’s all we know – we’re terrible to talk to at parties. But great to talk to if you need help getting started with our ACME Service or if you ever need support along the way.

How does ACME work?

ACME is a very lightweight framework for automating the SSL/TLS lifecycle. ACME itself is a protocol, organizations select a client based on their own needs. Each network environment is different – organizations use different servers and different requirements. The beauty of ACME is you can find the right client regardless of server type.

Some of the most popular ACME clients are:

  • Certbot
  • ACMESharp
  • acme-client
  • GetSSL
  • Posh-ACME
  • Caddy
  • Sewer
  • nginx ACME

There’s also one called Peter SSLers, an homage to the actor famous for his roles in Dr. Strangelove and the Pink Panther, who like GlobalSign also hails from Portsmouth – though in his case in England, not New Hampshire.

Clients are generally open-source and free. GlobalSign’s ACME Service supports any client that uses the IETF ACME standard. Once a client has been selected, agents are installed and configured on every end point you’ll be securing.

What’s the difference between an ACME client and an agent?

Great question, the client refers to the framework that ensures that specific type of server can communicate with GlobalSign – the agent is the part of that system that acts on behalf of that server by doing things like providing a CSR and passing a domain validation test.

Now let’s finally get into how ACME works.

Creating an ACME Account

Once the agents are all installed, they interact with GlobalSign and authenticate themselves (prove they are authorized to act on behalf of the server) using the ACME feature called External Account Binding (EAB) to bind the agent public key to their Atlas account. This is done using a cryptographically secure Message Authentication Code or MAC key that’s generated by GlobalSign to sign the account key pair. From then on, all messages are signed with that key pair which enables secure issuance and revocation. All of this is done via GlobalSign’s Atlas portal.

Once everything is set up the magic begins. Not really, that’s hyperbolic – it’s far less grandiose than that.

Requesting an SSL/TLS certificate

Once the agents are installed on their respective web servers and they are bound to your Atlas account, they can begin requesting SSL/TLS certificates. I know you’re just going to look at the diagram, but for the sake of thoroughness (and SEO) I’ll include the description, too. And do keep in mind that we've condensed some steps and simplified this a bit:

  1. The agent sends an order request and digitally signs it with its account key pair
  2. GlobalSign’s next-generation Atlas CA sends a domain validation challenge to verify the agent is authorized to act on behalf of the server. Domain validation information can be re-used for 397 days
  3. The agent sends a response indicating it has responded to the authorization challenge, once again signing it with its account key pair. Atlas then verifies this
  4. Following verification, the agent generates a CSR on behalf of its web server and sends it to Atlas after signing it with its account key pair
  5. Atlas verifies the digital signature and GlobalSign issues the SSL/TLS certificates
  6. The agent receives the certificate and installs/configures it on the server

acme-agent-installed-configured-certs-installed-renewed.PNG

The nice part is you don’t have to do anything, it all happens silently, behind the scenes – where you don’t have to think about it.

A couple notes, first, renewals occur in the same way and as mentioned above domain validation information can be re-used for 397 days, so any certificates issued after the first domain validation can skip subsequent validation challenges for the next 397 days. Considering best practice is to rotate them more frequently than once per year in the name of improved security posture and greater crypto-agility, ACME provides a very convenient way to accomplish that.

Additionally, GlobalSign supports both DNS and HTTP-based domain validation challenges. A DNS challenge involves updating a specific part of a website’s DNS record with a value provided by GlobalSign. Likewise, HTTP-based validation involves placing that value in a .txt file somewhere on your website.

Revoking a Certificate

Next up is revocation, especially when your rotation involves swapping certificates more frequently than once per year, you’re inevitably going to revoke some certificates. This is also the case for compromised certificates and a slew of other certificate-related issues. ACME makes it easy. Here’s how:

  1. The agent generates a revocation request on behalf of the server and digitally signs it with either the Account key or the private key of the TLS certificate you want revoked
  2. Atlas verifies the digital signature
  3. GlobalSign revokes the certificate
  4. GlobalSign publishes the revoked certificate to the required Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSPs)

How can you use ACME?

GlobalSign’s ACME Service represents an incredible first step towards automation for any organization. Eliminating the stress and hassle of managing SSL/TLS certificates reduces a significant burden for your IT team and prevents a lot of the potential pitfalls that come with public certificate management. Human error can lead to certificates expiring before they can be replaced and that can cause myriad problems.

  • Outages/Downtime – If you can’t reach a certain website or server, nobody can use it. That could be an eCommerce website storefront, a network portal for remote employees, or a videogame server. Regardless, you’re losing productivity and revenue – or put more concisely: money
  • Brand Damage – You get upset with your phone carrier over a single dropped call or bad network strength. People are no different with websites and online services. You may not think being unavailable for a few hours is trivial, but your customers/clients will have a much different opinion. Your employees might not mind so much – though they’d never admit that
  • Compliance/Regulatory Issues – Depending on your location or industry, there are certain requirements around TLS/HTTPS and general cybersecurity. Having unplanned expirations can cause compliance issues. Even if they don’t amount to penalties, they can get you on regulatory radars, which isn’t exactly ideal

Plus, once you grasp the convenience of automating SSL/TLS lifecycles, you’ll wonder what other parts of your organization’s PKI you can automate next. It makes a world of difference – especially at scale.

Do you want to talk to GlobalSign about ACME?

That’s great, and we have salespeople standing by waiting for your email or call. Literally, they’re standing. We don’t buy them chairs – it’s how we keep our prices down and our people on their feet (literally). That’s not true. But they really are standing by ready to talk about our automation and how our ACME Service can deliver a treasure trove of benefits to your organization. Simply REQUEST A DEMO and we’ll have someone reach out to you.

Or you could always pick up the phone and call. Or is that weird nowadays? Either way, we’re ready to talk ACME and automation whenever you are!

Share this Post

Recent Blogs