Automation examples with third-party ACME clients

With CertCentral, you can automate certificates using any third-party ACME client. One such client is EFF's Certbot.

The examples here demonstrate use of the Certbot client to initiate certificate automation actions for the Apache web server.

Although these examples use Certbot, please note that DigiCert supports any ACME client or web server.

For instructions on how to use Kubernetes cert-manager to create and manage TLS/SSL certificates, see Configure cert-manager and DigiCert ACME service with Kubernetes.

Before you begin

  • Make sure you have installed and configured your preferred ACME client following the software provider's guidelines.
  • Set up an ACME Directory URL for your preferred ACME client in CertCentral. See Third-party ACME client automation user guide.
  • Root privileges required to install certificates for the web server.

Certbot: Issue and install a certificate

If you installed the certbot-auto script, replace certbot with ./certbot-auto in the command. You might need to specify the path of certbot-auto if it's not added to your server's PATH configuration.

ACME error codes: ACME returns the same errors and error messages as those returned in the CertCentral API. For a list of error codes and what they mean, see Errors.

  1. Open a terminal session on your web server, for example using using SSH.

  1. At the terminal prompt, request a certificate using Certbot and the command syntax below:

    • Make sure to replace YOUR-KEY-IDENTIFIER with the external account binding KID.
    • Make sure to replace YOUR-HMAC-KEY with the external account binding HMAC key.
    • Make sure to replace YOUR-ACME-URL with the ACME Directory URL created previously (see Create an ACME Directory URL).
    • Make sure to replace FQDN with the fully qualified domain name you want the certificate to secure. For each FQDN, add an additional -d option.
bash 
sudo certbot --apache --register-unsafely-without-email --eab-kid=YOUR-KEY-IDENTIFIER --eab-hmac-key=YOUR-HMAC-KEY --server “YOUR-ACME-URL” -d FQDN

Example:

bash 
sudo certbot --apache --register-unsafely-without-email --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA --server “https://acme.digicert.com/v2/acme/directory/” -d digicert.com -d www.digicert.com

  1. Enter your Certbot command, customized as needed.

    For additional information about the commands and options used in these instructions, see Certbot: ACME automation options.

  1. You will be asked to accept the Terms of Service. Type "A” and press enter.

    Currently, DigiCert doesn't have any additional Terms of Service for the ACME.

If your request includes an FQDN that Cerbot can't find a matching virtual host for, you'll be prompted to select the virtual host you want to install the certificate on.
On Apache, check the Virtual Directory listing for ServerName to match the FQDN.

  1. Select whether to redirect HTTP traffic to HTTPS.

    Choosing to redirect disables HTTP access to your website.

  1. When finished, your server displays a success message: “Congratulations! You have successfully enabled your domains…

Your ACME certificate request is complete and the newly issued certificate is installed on your webserver. Visit your website to confirm your certificate is in place.

Certbot: Renew and reissue a certificate

Renew a certificate when it has expired or is due for renewal. Reissue a certificate when it is missing or has been revoked.

To renew and reissue, use this Certbot command syntax:

bash 
sudo certbot --apache --register-unsafely-without-email --eab-kid=YOUR-KEY-IDENTIFIER --eab-hmac-key=YOUR-HMAC-KEY --server “YOUR-ACME-URL” -d FQDN

Append the orderId and the action to the URL, as shown below:

Example (renew):

bash 
sudo certbot --apache --register-unsafely-without-email --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA --server “https://acme.digicert.com/v2/acme/directory/?orderId=57718329&action=renew” -d digicert.com -d www.digicert.com

Example (reissue):

bash 
sudo certbot --apache --register-unsafely-without-email --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA --server “https://acme.digicert.com/v2/acme/directory/?orderId=57718329&action=reissue” -d digicert.com -d www.digicert.com

For Multi-year plan accounts:

  • Renew a certificate when the order coverage is expiring.
  • Reissue a certificate if it has been revoked or is expiring within the order coverage.

Certbot: Issue a duplicate certificate

To increase security and simplify installation of the certificate across multiple servers, issue a duplicate certificate for each server.

The details in the duplicate certificate will be the same as in the original certificate. Duplicate certificates never require DigiCert to revoke previous copies of your certificate.

To issue a duplicate certificate, use this Certbot command syntax:

bash 
sudo certbot --apache --register-unsafely-without-email --eab-kid=YOUR-KEY-IDENTIFIER --eab-hmac-key=YOUR-HMAC-KEY --server “YOUR-ACME-URL” -d FQDN

Append the orderId and the action to the URL, as shown below:

Example:

bash 
sudo certbot --apache --register-unsafely-without-email --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA --server “https://acme.digicert.com/v2/acme/directory/?orderId=57718329&action=duplicate” -d digicert.com -d www.digicert.com

Certbot: ACME automation options

  • certbot: runs the CertBot executable.
  • certbot-auto: Use this in place of certbot when the certbot-auto script is installed. You might need to specify the path of certbot-auto if it's not added to your server's PATH configuration.
  • --apache: Specifies the Apache Certbot plugin that will install the certificate for you. Optional.
  • --register-unsafely-without-email: Allows you to skip creating an ACME account. Because your request is already connected to your CertCentral account, this is not needed. Optional.
  • --server “URL: Specifies what ACME server should fulfill your request. Place your ACME Directory URL in double quotations after this option.
  • --eab-kid=YOURKID: Specifies the key identifier, which is a part of the common URL.
  • --eab-hmac-key=YOURHMACKEY: Specifies the key used for signing the response.
  • -d YOURDOMAIN: The fully qualified domain name included in the certificate. For each FQDN in the certificate, include a –d YOURDOMAIN. If you don't include this option, CertBot will prompt you about the domains you want to include based on your configured virtual hosts. Optional.
  • orderId “YOURORDERID: Specifies the order ID type of the existing certificate.
  • action “YOURACTION: Specifies the action on the certificate being requested.

A full list of Certbot commands is available through the terminal with certbot –help, or see list of commands on the Certbot documentation website.

What's next?

Your ACME certificate request is complete and the newly issued certificate is installed on your webserver. Visit your website to confirm your certificate is in place.

You can reuse your ACME Directory URL to make additional certificate requests for the same certificate product and prevalidated organization.

To request certificates for a different product or organization, create a new unique ACME Directory URL for that product or organization.

See Third-party ACME client automation user guide.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.