Automation of TLS certificate issue and installation (ACME protocol)

Certificates for SSL/TLS secured connection can be obtained automatically in just a few seconds. Certificates can also be installed on the server in automated fashion with no steps necessary from you. SSL Market now makes managing your SSL/TLS certificates even easier.

Automate certificate issue and installation (ACME protocol)

What is ACME protocol

ACME protocol allows communication with the CA directly from the server and makes the certificate issue and installation process fully automatic. ACME client thus allows the certificate to be installed with no help from the administrator, which saves both your time and money.

Certificate Acquisition Process

DigiCert's implementation of ACME is based on what's called ACME External Account Binding (EAB). This means that the server manages ACME accounts and customers authenticate to them. Communication with the CA is thus more secure than without authentication; this technology is also supported by Certbot and other ACME clients.

You can create your own ACME credentials directly in your customer account. Our customers can start using the ACME protocol immediately and there is no need to contact us.

ACME credentials consist of three pieces of information, two of which are unique. The ACME Directory URL points to DigiCert, which listens to your requests on it. You will also receive two unique strings, key identifier (KID) and HMAC key, which are unique for each customer (therefore, do not share them in any case!). The Identifier specifies which certificate you want to issue and for which organization it is intended (domains are specified separately in the ACME request parameter). The HMAC key is a secret used for authentication and authorization.

After generating your ACME credentials in your customer admin, you can start issuing certificates. The whole process takes only seconds; you get and install the certificate immediately and with no effort.

Tutorials for ACME agents

ACME protocol is platform-independent; this allows you to find an ACME client in virtually every major programming or scripting language. For those of our customers running commercial web servers, the most relevant clients will be for Linux (Apache, nginx) and Windows Server. We have conducted detailed testing and it resulted in the following recommendations:

Web server Linux

In order to use the ACME protocol on Linux server, we recommend ACME client called Certbot, which can install certificates automatically on Apache, nginx and other common webservers. You just need to install appropriate plugin. Certbot works reliably for both Apache and nginx, therefore we can recommend it for commercial deployment as well. There are no known difficulties with this setup. You can learn more in the How to obtain TLS certificate using ACME protocol on Linux tutorial.

Windows Server and IIS

The popular Certbot is designed for Linux and you cannot use it on a Windows server. We have been looking for an option to recommend for ACME for you on Windows Server with IIS and we recommend win-acme. We have tested the functionality of this client and can recommend it for Windows Server and IIS. You can find more information and instructions in the article Take advantage of ACME automation on a Windows Server as well.

Has this article been useful?