server room

All You Need to Know About Automated Certificate Management Environment (ACME)

What Is ACME?

The Automated Certificate Management Environment (ACME) protocol is a communication protocol for automating certificate issuance and renewal between certificate authorities and web servers. It was designed by the Internet Security Research Group (ISRG) for their Let’s Encrypt service, which is a non-profit certificate authority with the goal of securing all websites using HTTPS.

The ACME protocol has evolved to version 2 (ACMEv2), which was released on March 13, 2018. ACMEv2 is not backward compatible with ACMEv1. The ACMEv1 API is scheduled to be turned off completely on June 1, 2021.

How Does It Work?

The ACME protocol is designed to make it possible to setup an HTTPS server and have it automatically obtain a certificate without any human intervention. This is achieved by running a certificate management agent on the web server. To understand the ACME protocol, let’s review what steps the certificate authority (CA) follows to issue a domain validated (DV) TLS/SSL certificate for website security:

  1. Web Administrator provides CSR and domain information to the CA and requests the certificate.
  2. The CA typically asks the web administrator to prove that they have control over that domain name. For example, the web administrator can DNS TXT record of that domain and verify the control. It’s typically an automated process.
  3. Once the domain control has been verified, the CA will issue a certificate that can be downloaded from the CA portal.
  4. The downloaded certificate is placed on the web server.

ACME protocols mimic the manual process and automate it to a degree where there is no user intervention. There are two steps to this process. First, the agent proves to the CA that the web server controls a domain. Then, the agent can request, renew and revoke certificates for that domain. Here is the process flow that explains how it works in detail.

Image
Connect to certificate host serverInstall ACMEv2 Client for applicationTest application endpointRun configuration utility or update config filesConfigure renewal timing via systemd or cronAutomated with ACMEv2Invoke ACMEv2 Client to generate, request and install certificateSecure a server with a TLS certificateCertificate will automatically renew 30 days before expiration

 

With ACME clients, certificates can be replaced with a simple command and most applications can be automatically configured to use the certificate without human intervention. This leads to significant time savings and fewer service interruptions due to expired certificates. There are many different ACME client implementations available to use depending on your web server implementation. Check out our technical guide on Certificate Automation Rollout for Enterprise to get details on various ACME clients.

How Can HID PKI-as-a-Service Help You Automate Certificate Management With ACME?

HID Global’s PKIaaS leverages a connector model of certificate automation. With this method, certificate utilities that already exist in the market are added to a platform (such as ACME clients) or are embedded in popular enterprise platforms (like Microsoft Intune). Unlike agent or agentless models, the connector model does not rely on the introduction of a “command and control” platform solely for the management of certificates.

Talk to our PKI expert and see how we can help you on your certificate automation journey.

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).

RECENT POSTS