With CertCentral, you can use your preferred third-party ACME client to automate certificate deployments and reduce your TLS administration overhead.
CertCentral's ACME support allows you to automate both public and private OV and EV certificates for short validity or multi-year deployments. We also support the Signed HTTP Exchange certificate profile option, enabling you to automate your Signed HTTP Exchange certificate deployments (see ACME Directory URLs for Signed HTTP Exchange certificates).
CertCentral managed automation is DigiCert's turnkey automation solution. It allows you to manage all your automations from the CertCentral web console and includes features to ensure that ACME and other software components are always kept updated.
When you use a third-party ACME client, you are working outside of the managed automation solution. You obtain basic credentials from CertCentral to procure certificates, but you must install and maintain your own ACME software and initiate automation actions locally on each of your systems.
To use the CertCentral managed automation solution, you must have it enabled for your account. If managed automation is not enabled, you will only see ACME Directory URLs and API Keys listed under the CertCentral Automation menu.
For third-party ACME clients, you will use the ACME Directory URLs function to configure automation options and obtain the credentials needed to procure DigiCert certificates.
Before you start, make sure these prerequisites are met:
The following is the general workflow needed to automate DigiCert certificates with a third-party ACME client:
You can use any third-party automation client that supports the industry standard ACME protocol to procure certificates from CertCentral. For example, see EFF's Certbot.
Follow the software provider's guidelines to download and install the third-party ACME client. For example, the EFF provides an installation guide for their Certbot software.
You must install the ACME client software separately on each system that will run certificate automations.
Configure the third-party ACME client software separately on each system that will run automations.
Follow the software provider's guidelines to determine the required configuration parameters. Make sure each ACME client can:
Use the CertCentral ACME Directory URLs function to configure automation options and obtain the credentials needed for your preferred ACME client to communicate with the DigiCert cloud:
In your CertCentral account, in the left main menu, select Automation > ACME Directory URLs.
From the ACME Directory URLs view, select Add ACME Directory URL.
In the Add ACME Directory URL popup window, enter an easily identifiable Name for the URL.
In the Product dropdown, select the certificate type you want to issue.
In the Division dropdown, select a division to associate with certificates issued from this ACME Directory URL.
In the Organization dropdown, select the prevalidated organization for the issued certificates.
Select the Validity period for certificates issued from this ACME Directory URL:
(Optional) To enable the Signed HTTP Exchange certificate profile option, expand Additional certificate options and select Include the CanSignHttpExchanges extension in the certificate. For more details about this option, see ACME Directory URLs for Signed HTTP Exchange certificates.
Select Add ACME Directory URL.
In the New ACME Directory URL popup window, copy your unique ACME URL along with the external account binding information, and save it.
This information is required for the third-party ACME client to procure certificates from CertCentral. It only gets displayed once.
After copying and saving it somewhere safe, select I understand I will not see this again to dismiss it.
When you generate an ACME Directory URL, the URL, KID, and HMAC key are displayed only once. There is no way to retrieve this information once you have navigated away from it. If you ever lose your ACME URL details, you'll need to revoke the lost URL and generate a new one.
Your new ACME Directory URL is added to the list of URLs on the ACME Directory URLs page.
For details about certificates procured via the ACME Directory URL, select the information icon next to the URL Description.
With your preferred third-party ACME client installed and configured, and an ACME Directory URL defined for it in CertCentral, you are ready to begin using the ACME client to procure DigiCert certificates.
For third-party ACME clients, automation actions must be initiated locally on each system. Follow the software provider's guidelines and use the credentials obtained from the ACME Directory URL that you set up in CertCentral.
For examples of initiating automation actions with the EFF Certbot client, see Automation examples with third-party ACME clients.