With ACME + CertCentral, use your preferred ACME client to automate your SSL/TLS certificate deployments and remove time spent completing manual certificate installations.
CertCentral ACME protocol support allows you to automate OV and EV SSL/TLS 1-year, 2-year, and custom validity certificate deployments. Our ACME protocol also supports the Signed HTTP Exchange certificate profile option, enabling you to automate your Signed HTTP Exchange certificate deployments (see ACME Directory URLs for Signed HTTP Exchange certificates).
Before you start, make sure these prerequisites are met:
DigiCert ACME Beta is not recommended for use in a production environment.
To begin, generate a unique ACME Directory URL in your CertCentral account. You'll need to include your ACME Directory URL in your CertBot certificate request command.
In your CertCentral account, in the sidebar menu, click Automation > ACME Directory URLs.
On the ACME Directory URLs page, click Add ACME Directory URL.
In the Add ACME Directory URL popup window, enter a friendly Name for the URL.
In the Product dropdown, select the certificate you want to issue using ACME.
Currently, DigiCert ACME only supports OV and EV TLS/SSL certificates.
In the Organization dropdown, select the pre-validated Organization you want to issue the certificate for.
Click Add ACME Directory URL.
In the New ACME Directory URL popup window, copy your unique ACME URL and save it.
You'll need to use this URL to request your certificate using ACME.
When you generate an ACME Directory URL, it is displayed only once. There is no way to retrieve a lost ACME URL. If you ever lose an ACME URL, you'll need to revoke the lost URL and generate a new one.
Click I understand I will not see this again.
Your new ACME Directory URL is added to the list of URLs on the ACME Directory URLs page (in the sidebar menu, click Automation > ACME Directory URLs). For details about the certificate you can order via the ACME Directory URL, click the information icon next to the URL Description.
If you installed the certbot-auto script, replace
./certbot-auto in the command. You may need to specify the path of certbot-auto if it's not added to your server's PATH configuration.
ACME error codes:
ACME returns the same errors and error messages as those returned in the CertCentral API. For a list of error codes and what they mean, see Errors.
Use your preferred ACME client to connect to your web server using SSH.
At the terminal prompt, request a certificate using CertBot and the command below.
YOUR-ACME-URLwith the ACME Directory URL created previously (see Create an ACME Directory URL).
FQDNwith the fully-qualified domain name you want the certificate to secure. For each FQDN, add an additional
sudo certbot --apache --register-unsafely-without-email --server “YOUR-ACME-URL” -d FQDN
Here is an example of a complete command as a reference.
sudo certbot --apache --register-unsafely-without-email --server “https://acme.digicert.com/v2/acme/directory/u_sBek4aRGO_4RiltJ7Ae_XLXSc9r8FtEdrNZzuTu” -d digicert.com -d www.digicert.com
Enter your CertBot command, customized as needed.
For additional information about the commands and options used in these instructions, see ACME options.
You will be asked to accept the Terms of Service. Type "A” and press enter.
Currently, DigiCert doesn't have any additional Terms of Service for the ACME Beta.
If your request includes an FQDN that Cerbot can't find a matching virtual host for, you'll be prompted to select the virtual host you want to install the certificate on.
On Apache, check the Virtual Directory listing for ServerName to match FQDN.
Select whether to redirect HTTP traffic to HTTPS.
Choosing to redirect disables HTTP access to your website.
When finished, your server displays a success message: “Congratulations! You have successfully enabled your domains…”
Congratulations! Your ACME certificate request is complete and the newly issued certificate is installed on your webserver. You can visit your website to confirm installation was successful.
Your ACME certificate request is complete. The newly issued certificate is installed on your webserver. Visit your website to confirm installation was successful.
You can reuse your ACME Directory URL to make additional certificate requests for the same certificate product and prevalidated organization.
To request certificates for a different product or organization, create a new unique ACME Directory URL for that product or organization. See Create an ACME Directory URL.
certbot: runs the CertBot executable.
certbot-auto: Use in place of certbot when certbot-auto script is installed. You may need to specify the path of certbot-auto if it's not added to your server's PATH configuration.
--apache: Specifies the Apache CertBot plugin that will install the certificate for you. Optional.
--register-unsafely-without-email: Allows you to skip creating an ACME account. Because your request is already connected to your CertCentral account, this is not needed. Optional.
”: Specifies what ACME server should fulfill your request. Place your ACME Directory URL in double quotations after this option.
DOMAIN: The fully-qualified domain name included in the certificate. For each FQDN in the certificate, include a –d YOURDOMAIN. If you don't include this option, CertBot will prompt you about the domains you want to include based on your configured virtual hosts. Optional.
A full list of CertBot commands are available through the terminal with certbot –help. Commands are also documented on the CertBot documentation website.