Manual ACME automation integration user guide

With ACME + CertCentral, use your preferred ACME client to automate your SSL/TLS certificate deployments and remove time spent completing manual certificate installations.

CertCentral ACME protocol support allows you to automate OV and EV SSL/TLS 1-year, 2-year, and custom validity certificate deployments. Our ACME protocol also supports the Signed HTTP Exchange certificate profile option, enabling you to automate your Signed HTTP Exchange certificate deployments (see ACME Directory URLs for Signed HTTP Exchange certificates).

This is the open beta period for ACME protocol support in CertCentral. For a list of current known issues, see Known issues. To report errors, contact our Support team.

Before you begin

Before you start, make sure these prerequisites are met:

  • Administrator or manager in your CertCentral account
    To access ACME in your CertCentral account, go to the ACME Directory URLs page (in the sidebar menu, click Automation > ACME Directory URLs).
  • Root access to your web server
    These instructions only cover Apache. However, DigiCert ACME is compatible with all web servers.
  • Working ACME Client installed on your web server—preferably CertBot
    DigiCert recommends using your preferred ACME Client. However, we've only included instructions for CertBot. An installation guide for CertBot is available from the EFF. See EFF's certbot.
  • Enabled automatic certificate request approvals for your CertCentral account. See Enable automatic certificate request approvals.
  • Pre-validated the domains and organizations you want to get certificates for—needed for instant certificate issuance.
    For ACME instant certificate issuance to work, you must pre-validate the domain and organization used in your ACME certificate requests. See Manage organizations and Manage domains.

DigiCert ACME Beta is not recommended for use in a production environment.

Create an ACME Directory URL

To begin, generate a unique ACME Directory URL in your CertCentral account. You'll need to include your ACME Directory URL in your CertBot certificate request command.

  1. In your CertCentral account, in the sidebar menu, click Automation > ACME Directory URLs.

    ACME Directory URLs page

  1. On the ACME Directory URLs page, click Add ACME Directory URL.

  1. In the Add ACME Directory URL popup window, enter a friendly Name for the URL.

  1. In the Product dropdown, select the certificate you want to issue using ACME.

Currently, DigiCert ACME only supports OV and EV TLS/SSL certificates.

  1. In the Organization dropdown, select the pre-validated Organization you want to issue the certificate for.

  1. Click Add ACME Directory URL.

  1. In the New ACME Directory URL popup window, copy your unique ACME URL and save it.

    You'll need to use this URL to request your certificate using ACME.

When you generate an ACME Directory URL, it is displayed only once. There is no way to retrieve a lost ACME URL. If you ever lose an ACME URL, you'll need to revoke the lost URL and generate a new one.

  1. Click I understand I will not see this again.

Your new ACME Directory URL is added to the list of URLs on the ACME Directory URLs page (in the sidebar menu, click Automation > ACME Directory URLs). For details about the certificate you can order via the ACME Directory URL, click the information icon next to the URL Description.

ACME: Issue and install a certificate

If you installed the certbot-auto script, replace certbot with ./certbot-auto in the command. You may need to specify the path of certbot-auto if it's not added to your server's PATH configuration.

ACME error codes:
ACME returns the same errors and error messages as those returned in the CertCentral API. For a list of error codes and what they mean, see Errors.

  1. Use your preferred ACME client to connect to your web server using SSH.

  1. At the terminal prompt, request a certificate using CertBot and the command below.

    • Make sure to replace YOUR-ACME-URL with the ACME Directory URL created previously (see Create an ACME Directory URL).
    • Make sure to replace FQDN with the fully-qualified domain name you want the certificate to secure. For each FQDN, add an additional -d option.
sudo certbot --apache --register-unsafely-without-email --server “YOUR-ACME-URL” -d FQDN

Here is an example of a complete command as a reference.

sudo certbot --apache --register-unsafely-without-email --server “” -d -d
  1. Enter your CertBot command, customized as needed.

    For additional information about the commands and options used in these instructions, see ACME options.

  1. You will be asked to accept the Terms of Service. Type "A” and press enter.

    Currently, DigiCert doesn't have any additional Terms of Service for the ACME Beta.

If your request includes an FQDN that Cerbot can't find a matching virtual host for, you'll be prompted to select the virtual host you want to install the certificate on.
On Apache, check the Virtual Directory listing for ServerName to match FQDN.

  1. Select whether to redirect HTTP traffic to HTTPS.

    Choosing to redirect disables HTTP access to your website.

  1. When finished, your server displays a success message: “Congratulations! You have successfully enabled your domains…

Congratulations! Your ACME certificate request is complete and the newly issued certificate is installed on your webserver. You can visit your website to confirm installation was successful.

What's next

Your ACME certificate request is complete. The newly issued certificate is installed on your webserver. Visit your website to confirm installation was successful.

You can reuse your ACME Directory URL to make additional certificate requests for the same certificate product and prevalidated organization.

To request certificates for a different product or organization, create a new unique ACME Directory URL for that product or organization. See Create an ACME Directory URL.

ACME options

  • certbot: runs the CertBot executable.
  • certbot-auto: Use in place of certbot when certbot-auto script is installed. You may need to specify the path of certbot-auto if it's not added to your server's PATH configuration.
  • --apache: Specifies the Apache CertBot plugin that will install the certificate for you. Optional.
  • --register-unsafely-without-email: Allows you to skip creating an ACME account. Because your request is already connected to your CertCentral account, this is not needed. Optional.
  • --server “URL: Specifies what ACME server should fulfill your request. Place your ACME Directory URL in double quotations after this option.
  • -d YOURDOMAIN: The fully-qualified domain name included in the certificate. For each FQDN in the certificate, include a –d YOURDOMAIN. If you don't include this option, CertBot will prompt you about the domains you want to include based on your configured virtual hosts. Optional.

A full list of CertBot commands are available through the terminal with certbot –help. Commands are also documented on the CertBot documentation website.

Related topics