Manual ACME automation integration user guide

With ACME + CertCentral, use your preferred ACME client to automate your SSL/TLS certificate deployments and remove time spent completing manual certificate installations.

CertCentral ACME protocol support allows you to automate OV and EV SSL/TLS 1-year and custom validity certificate deployments. Our ACME protocol also supports the Signed HTTP Exchange certificate profile option, enabling you to automate your Signed HTTP Exchange certificate deployments (see ACME Directory URLs for Signed HTTP Exchange certificates).

For a list of current known issues, see Automation: Known issues. To report errors, contact our Support team. .

Before you begin

Before you start, make sure these prerequisites are met:

  • Administrator or manager in your CertCentral account
    To access ACME in your CertCentral account, go to the ACME Directory URLs page (in the sidebar menu, click Automation > ACME Directory URLs).
  • Root access to your web server
    These instructions only cover Apache. However, DigiCert ACME is compatible with all web servers.
  • Working ACME Client installed on your web server—preferably CertBot
    DigiCert recommends using your preferred ACME Client. However, we've only included instructions for CertBot. An installation guide for CertBot is available from the EFF. See EFF's certbot.
  • Enabled automatic certificate request approvals for your CertCentral account. See Enable automatic certificate request approvals.
  • Pre-validated the domains and organizations you want to get certificates for—needed for instant certificate issuance.
    For ACME instant certificate issuance to work, you must pre-validate the domain and organization used in your ACME certificate requests. See Manage organizations and Manage domains.

In addition to CertBot, DigiCert also provides cert-manager support to help you create and manage SSL/TLS certificates. See Configure cert-manager and DigiCert ACME service with Kubernetes.

Create an ACME Directory URL

To begin, generate a unique ACME Directory URL in your CertCentral account. You'll need to include your ACME Directory URL with External account binding (EAB) in your CertBot certificate request command.

  1. In your CertCentral account, in the sidebar menu, click Automation > ACME Directory URLs.

  1. On the ACME Directory URLs page, click Add ACME Directory URL.

  1. In the Add ACME Directory URL popup window, enter a friendly Name for the URL.

  1. In the Product dropdown, select the certificate you want to issue using ACME.

Currently, DigiCert ACME only supports OV and EV TLS/SSL certificates.

  1. In the Division dropdown, associate a division to the ACME Directory URL.

All the certificates issued from this URL will be attached to the selected division.

  1. In the Organization dropdown, select the prevalidated Organization you want to issue the certificate for.

  1. (Optional) Select your Multi-year coverage length from the dropdown if you have a Multi-year plan account.

  1. Under Validity period, select Custom length. In the Days box, enter a number.

  1. Click Add ACME Directory URL.

  1. In the New ACME Directory URL popup window, copy your unique ACME URL along with the External account binding (EAB) information, and save it.

    You'll need to use this information to request your certificate using ACME.

When you generate an ACME Directory URL, the URL, KID and HMAC key is displayed only once. There is no way to retrieve the lost information. If you ever lose ACME URL details, you'll need to revoke the lost URL and generate a new one.

  1. Click I understand I will not see this again.

Your new ACME Directory URL is added to the list of URLs on the ACME Directory URLs page (in the sidebar menu, click Automation > ACME Directory URLs). For details about the certificate you order via the ACME Directory URL, click the information icon next to the URL Description.

ACME: Issue and install a certificate

If you installed the certbot-auto script, replace certbot with ./certbot-auto in the command. You might need to specify the path of certbot-auto if it's not added to your server's PATH configuration.

ACME error codes:
ACME returns the same errors and error messages as those returned in the CertCentral API. For a list of error codes and what they mean, see Errors.

  1. Use your preferred ACME client to connect to your web server using SSH.

  1. At the terminal prompt, request a certificate using CertBot and the command below:

    • Make sure to replace YOUR-KEY-IDENTIFIER with the External account binding KID.
    • Make sure to replace YOUR-HMAC-KEY with the External account binding HMAC key.
    • Make sure to replace YOUR-ACME-URL with the ACME Directory URL created previously (see Create an ACME Directory URL).
    • Make sure to replace FQDN with the fully qualified domain name you want the certificate to secure. For each FQDN, add an additional -d option.
sudo certbot --apache --register-unsafely-without-email --eab-kid=YOUR-KEY-IDENTIFIER --eab-hmac-key=YOUR-HMAC-KEY --server “YOUR-ACME-URL” -d FQDN

Here is an example of a complete command as a reference with External account binding.

sudo certbot --apache --register-unsafely-without-email --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA --server “” -d -d
  1. Enter your CertBot command, customized as needed.

    For additional information about the commands and options used in these instructions, see ACME options.

  1. You will be asked to accept the Terms of Service. Type "A” and press enter.

    Currently, DigiCert doesn't have any additional Terms of Service for the ACME.

If your request includes an FQDN that Cerbot can't find a matching virtual host for, you'll be prompted to select the virtual host you want to install the certificate on.
On Apache, check the Virtual Directory listing for ServerName to match the FQDN.

  1. Select whether to redirect HTTP traffic to HTTPS.

    Choosing to redirect disables HTTP access to your website.

  1. When finished, your server displays a success message: “Congratulations! You have successfully enabled your domains…

Congratulations! Your ACME certificate request is complete and the newly issued certificate is installed on your webserver. You can visit your website to confirm the installation was successful.

ACME: Renew and reissue a certificate

Renew a certificate when it has expired or is due for renewal. Reissue a certificate when it is missing or has been revoked.

To renew and reissue, use the below CertBot command:

sudo certbot --apache --register-unsafely-without-email --eab-kid=YOUR-KEY-IDENTIFIER --eab-hmac-key=YOUR-HMAC-KEY --server “YOUR-ACME-URL” -d FQDN

You need to append the orderId and the action to the URL, as shown in the examples below:

Here is an example of a complete command as a reference for renew.

sudo certbot --apache --register-unsafely-without-email --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA --server “” -d -d

Here is an example of a complete command as a reference for reissue.

sudo certbot --apache --register-unsafely-without-email --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA --server “” -d -d

For Multi-year plan accounts:

  • Renew a certificate when the order coverage is expiring.
  • Reissue a certificate if it has been revoked or is expiring within the order coverage.

ACME options

  • certbot: runs the CertBot executable.
  • certbot-auto: Use this in place of certbot when certbot-auto script is installed. You might need to specify the path of certbot-auto if it's not added to your server's PATH configuration.
  • --apache: Specifies the Apache CertBot plugin that will install the certificate for you. Optional.
  • --register-unsafely-without-email: Allows you to skip creating an ACME account. Because your request is already connected to your CertCentral account, this is not needed. Optional.
  • --server “URL: Specifies what ACME server should fulfill your request. Place your ACME Directory URL in double quotations after this option.
  • --eab-kid=YOURKID: Specifies the key identifier, which is a part of the common URL.
  • --eab-hmac-key=YOURHMACKEY: Specifies the key used for signing the response.
  • -d YOURDOMAIN: The fully qualified domain name included in the certificate. For each FQDN in the certificate, include a –d YOURDOMAIN. If you don't include this option, CertBot will prompt you about the domains you want to include based on your configured virtual hosts. Optional.
  • orderId “YOURORDERID: Specifies the order ID type of the existing certificate.
  • action “YOURACTION: Specifies the action on the certificate being requested.

A full list of CertBot commands are available through the terminal with certbot –help. Commands are also documented on the CertBot documentation website.

What's next

Your ACME certificate request is complete. The newly issued certificate is installed on your webserver. Visit your website to confirm installation was successful.

You can reuse your ACME Directory URL to make additional certificate requests for the same certificate product and prevalidated organization.

To request certificates for a different product or organization, create a new unique ACME Directory URL for that product or organization. See Create an ACME Directory URL.

Related topics