person working in server room

The ACME Protocol: What It Is and How It Streamlines Web Server Certificate Management

Web servers use cryptographic protocol Transport Layer Protocol (TLS) to prove their legitimacy, protect sensitive data and increase trust through the use of digital certificates. Unfortunately, issuing, managing and renewing those certificates can get complicated as the number of web servers continues to grow. The number of certificates that organizations manage reached an average of 58,639 in 2021, according to the Ponemon Institute. What’s more, the lifespan of TLS/SSL certificates has been decreasing for the last few years. Now, the maximum validity of the publicly trusted TLS/SSL certificate is now only 398 days.

That’s where the Automated Certificate Management Environment, or ACME, comes in. ACME is a protocol that helps automate the lifecycle management of digital certificates — and was specially designed to handle web server certificates.

In this blog, we’ll review the basics of ACME, how the protocol automates the certificate management procedure for web servers, and how HID’s PKI-as-a-Service helps companies streamline the process.

ACME Protocol Basics

What is ACME?

ACME, or Automated Certificate Management Environment, is a protocol that supports the automation of otherwise time-consuming certificate lifecycle management tasks. ACME can be used to request new certificates and renew or revoke existing ones. The protocol can support any type of TLS/SSL certificate, such as DV (domain validation), OV (organization validation) or EV (extended validation) certificates.

When was ACME Developed?

ACME was developed in 2016 by the Internet Security Research Group for its own certificate authority service, Let’s Encrypt. Given the benefits of automation in a complex, ever-changing world of web certificates and PKI needs, ACME was quickly adopted by other CAs, PKI services, and web servers. In 2019, the IETF updated and standardized the protocol, and it has become increasingly popular amongst enterprises worldwide.

How Does ACME Automate Certificate Management?

There are several ACME client implementations available that power the automation of certificate lifecycle management. The certbot is among the most popular, but other clients can also be used or integrated with the protocol. ACME clients are installed on the server where certificates must be deployed; once they been configured and authenticated, they can send certificate management requests and sign them with the authorized key pair.

Automated with ACMEv2 Secure a server with a TLS certificate Connect to certificate host server Install ACMEv2 Client for application Run configuration utility or update config files Configure renewal timing via systemd or cron Invoke ACMEv2 Client to generate, request and install certificate Test application endpoint Cert will automatically renew 30 days before expiry

Beyond the Basics: How ACME Streamlines Certificate Management

One of the reasons ACME has become so popular is that it was designed to be as flexible as possible. In this section, we’ll review some of the options that organizations have when implementing ACME, from models and languages to clients and configuration. Then, we’ll explain how the HID PKI-as-a-Service approaches these choices — and why it helps companies make the most of ACME's power.

Languages and Environments

The ACME protocol is a versatile tool that can be implemented using many of the same languages and environments that your business uses in its enterprise platforms.

The options for ACME clients — the plugins that communicate between servers and certificate authorities — are also vast. As mentioned earlier, certbot is the most popular ACME client because it is easy to use, works on multiple operating systems and has great documentation. Designed and built by Let’s Encrypt, certbot can be installed on any server where you’d like to implement ACME. Once installed, it automatically flags certificates that are about to expire, then requests new ones and replaces them on the server.

HID PKI-as-a-Service (PKIaaS) helps organizations take full advantage of this flexibility, supporting all available open-source ACME clients and facilitating a direct connection with already-deployed web servers. There are multiple benefits to this approach — from the time and resources it saves to the service interruptions and IT interventions it reduces. The open-source library also provides expansive options, eliminating the limitation a single-vendor certificate authority.

Setup and Configuration

After you’ve chosen an ACME client that fits your organization’s needs, the setup process is simple. You’ll install the client, enter your domain and specify your organization’s certificate policy (including certificate type, validity period and other attributes). Once your domain is preapproved, your certificates can be issued through the ACME client, replacing the manual labor of having an employee issue and manage each certificate.

Challenge and Authorization

After you’ve installed ACME, the protocol must complete a challenge. This process confirms that the organization requesting a certificate actually owns the domain — and is authorized to request and revoke certificates on its behalf. Once the challenge has been completed, your ACME client is ready to be configured to automate your certificate management.

HID PKI-as-a-Service enables organizations to pre-verify their domains and bypass the initial steps of challenge and authorization. This enables organizations to use ACME with publicly trusted TLS/SSL certificates as well as private PKI certificate authorities, without opening any incoming firewall connections.

Making the Most of ACME

HID’s technology agnostic approach to the ACME protocol provides extensive choices and options, enabling organizations to tailor automated certificate lifecycle management to their needs in a highly secure environment. Additional benefits include:

  • Scalability. Start small and scale as you grow. Certificate automation is infinitely scalable, allowing organizations to easily expand their use cases in the future.
  • Speed. PKIaaS is operational in days, not weeks or months, bringing a near-immediate return on investment.
  • Control. Keep control of your private root keys while outsourcing the operational complexity.
  • Predictable Pricing. HID leverages subscription-based pricing — with no hidden fees — to make budgeting simple and predictable.
  • Simplicity. Free your IT department from time-consuming manual certificate lifecycle management so they can focus on other mission-critical systems and software.

Automating PKI simplifies certificate management while enhancing both security and agility. Read our eBook, PKI Automation Strategies, Finding the Perfect Fit for Your Organization to learn more.

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).