Third-party ACME client automation user guide

With CertCentral, you can use your preferred third-party ACME client to automate certificate deployments and reduce your TLS administration overhead.

CertCentral's ACME support allows you to automate both public and private OV and EV certificates for short validity or multi-year deployments. We also support the Signed HTTP Exchange certificate profile option, enabling you to automate your Signed HTTP Exchange certificate deployments (see ACME Directory URLs for Signed HTTP Exchange certificates).

Comparison with CertCentral managed automation

CertCentral managed automation is DigiCert's turnkey automation solution. It allows you to manage all your automations from the CertCentral web console and includes features to ensure that ACME and other software components are always kept updated.

When you use a third-party ACME client, you are working outside of the managed automation solution. You obtain basic credentials from CertCentral to procure certificates, but you must install and maintain your own ACME software and initiate automation actions locally on each of your systems.

To use the CertCentral managed automation solution, you must have it enabled for your account. If managed automation is not enabled, you will only see ACME Directory URLs and API Keys listed under the CertCentral Automation menu.

For third-party ACME clients, you will use the ACME Directory URLs function to configure automation options and obtain the credentials needed to procure DigiCert certificates.

Before you begin

Before you start, make sure these prerequisites are met:

  • Enable automatic certificate request approvals for your CertCentral account.
    See Enable automatic certificate request approvals.
  • Prevalidate the domains and organizations you want to get certificates for—needed for instant certificate issuance.
    For ACME instant certificate issuance to work, you must pre-validate the domain and organization used in your ACME certificate requests. See Manage organizations and Manage domains.

Workflow

The following is the general workflow needed to automate DigiCert certificates with a third-party ACME client:

  1. Install the third-party ACME client software
    Download the ACME software from the third-party provider and install it on any systems that will act as automation clients.
  2. Configure the third-party ACME clients
    Follow the third-party provider's guidelines to configure the installed ACME software on each system.
  3. Create one or more ACME Directory URLs
    Define the allowed third-party ACME automations from the CertCentral ACME Directory URLs menu.
  4. Initiate automation events
    Finally, follow the third-party provider's guidelines and use the credentials obtained from the ACME Directory URLs menu to initiate certificate automation events on the ACME clients.

Install the third-party ACME client software

You can use any third-party automation client that supports the industry standard ACME protocol to procure certificates from CertCentral. For example, see EFF's Certbot.

Follow the software provider's guidelines to download and install the third-party ACME client. For example, the EFF provides an installation guide for their Certbot software.

You must install the ACME client software separately on each system that will run certificate automations.

Configure the third-party ACME clients

Configure the third-party ACME client software separately on each system that will run automations.

Follow the software provider's guidelines to determine the required configuration parameters. Make sure each ACME client can:

  • Connect outbound to HTTPS (port 443).
  • Connect outbound to the public IP address 216.168.244.42 (for acme.digicert.com ).
  • Resolve fully qualified domain names (FQDNs) for the local server, either via DNS or a local "hosts" file.

Create one or more ACME Directory URLs

Use the CertCentral ACME Directory URLs function to configure automation options and obtain the credentials needed for your preferred ACME client to communicate with the DigiCert cloud:

  1. In your CertCentral account, in the left main menu, select Automation > ACME Directory URLs.

  1. From the ACME Directory URLs view, select Add ACME Directory URL.

  1. In the Add ACME Directory URL popup window, enter an easily identifiable Name for the URL.

  1. In the Product dropdown, select the certificate type you want to issue.

  1. In the Division dropdown, select a division to associate with certificates issued from this ACME Directory URL.

  1. In the Organization dropdown, select the prevalidated organization for the issued certificates.

  1. Select the Validity period for certificates issued from this ACME Directory URL:

    • For multi-year accounts only, first select your Multi-year coverage length from the dropdown.
    • Select the desired certificate Validity period option.
    • For a Custom length validity period, enter the desired number of Days.
  1. (Optional) To enable the Signed HTTP Exchange certificate profile option, expand Additional certificate options and select Include the CanSignHttpExchanges extension in the certificate. For more details about this option, see ACME Directory URLs for Signed HTTP Exchange certificates.

  1. Select Add ACME Directory URL.

  1. In the New ACME Directory URL popup window, copy your unique ACME URL along with the external account binding information, and save it.

    This information is required for the third-party ACME client to procure certificates from CertCentral. It only gets displayed once.

    After copying and saving it somewhere safe, select I understand I will not see this again to dismiss it.

When you generate an ACME Directory URL, the URL, KID, and HMAC key are displayed only once. There is no way to retrieve this information once you have navigated away from it. If you ever lose your ACME URL details, you'll need to revoke the lost URL and generate a new one.

Your new ACME Directory URL is added to the list of URLs on the ACME Directory URLs page.

For details about certificates procured via the ACME Directory URL, select the information icon next to the URL Description.

Initiate automation events

With your preferred third-party ACME client installed and configured, and an ACME Directory URL defined for it in CertCentral, you are ready to begin using the ACME client to procure DigiCert certificates.

For third-party ACME clients, automation actions must be initiated locally on each system. Follow the software provider's guidelines and use the credentials obtained from the ACME Directory URL that you set up in CertCentral.

For examples of initiating automation actions with the EFF Certbot client, see Automation examples with third-party ACME clients.