ACME user guide

With ACME + CertCentral, use your preferred ACME client to automate your SSL/TLS certificate deployments and remove time spent completing manual certificate installations.

CertCentral ACME protocol support, allows you to automate OV and EV SSL/TLS 1-year, 2-year, and custom validity certificate deployments. Our ACME protocol also supports the Signed HTTP Exchange certificate profile option, enabling you to automate your Signed HTTP Exchange certificate deployments (see ACME Directory URLs for Signed HTTP Exchange certificates).

This is the open beta period for ACME protocol support in CertCentral. For a list of current known issues, see the Known issues section below. To report errors, contact our Support team.

Before you begin

Before you start, make sure these prerequisites are met:

  • Are an administrator in your CertCentral account
    To access ACME in your CertCentral account, go to the Account Access page (in the sidebar menu, click Account > Account Access), and you'll see the ACME Directory URLs section.
  • Have root access to your webserver
    These instructions only cover Apache. However, DigiCert ACME is compatible with all web servers.
  • Have a working ACME Client, preferably CertBot, installed on your web server
    DigiCert recommends using your preferred ACME Client. However, we've only included instructions for CertBot. An installation guide for CertBot is available from the EFF. See EFF's certbot.
  • Enabled automatic certificate request approvals for your CertCentral account. See Enable automatic certificate request approvals.
  • Pre-validated domains and organizations so their instant issuance ready.
    For ACME instant issuance to work, you must pre-validate the domain and organization used in your ACME certificate request. See Manage organizations and Manage domains.

DigiCert ACME Beta is not recommended for use in a production environment.

Create an ACME Directory URL

To begin, generate a unique ACME Directory URL in your CertCentral account. You'll need to include your ACME Directory URL in your CertBot certificate request command.

  1. In your CertCentral account, in the sidebar menu, click Account > Account Access.

    ACME Directory URLS on Account Access page in CertCentral

  1. On the Account Access page, in the ACME Directory URLs section, click Add ACME Directory URL.

  1. In the Add ACME Directory URL popup window, enter a friendly Name for the URL.

  1. In the Product dropdown, select the certificate you want to issue using ACME.

Currently, DigiCert ACME only supports OV and EV TLS/SSL certificates.

  1. In the Organization dropdown, select the pre-validated Organization you want to issue the certificate for.

  1. Click Add ACME Directory URL.

  1. In the New ACME Directory URL popup window, copy your unique ACME URL and save it.

    You'll need to use this URL to request your certificate using ACME.

When you generate an ACME Directory URL, it is displayed only once. There is no way to retrieve a lost ACME URL. If you ever lose an ACME URL, you'll need to revoke the lost URL and generate a new one.

  1. Click I understand I will not see this again.

Your new ACME Directory URL is added to the list of ACME Directory URLs on the Account Access page (in the sidebar menu, click Account > Access). To see details about the certificate that can be ordered via the ACME Directory URL, next to the URL Name, click the information icon.

ACME: Issue and install a certificate

If you installed the certbot-auto script, replace certbot with ./certbot-auto in the command. You may need to specify the path of certbot-auto if it's not added to your server's PATH configuration.

ACME error codes:
ACME returns the same errors and error messages as those returned in the CertCentral API. For a list of error codes and what they mean, see Errors.

  1. Use your preferred ACME client to connect to your web server using SSH.

  1. At the terminal prompt, request a certificate using CertBot and the command below.

    • Make sure to replace YOUR-ACME-URL with the ACME Directory URL created previously (see Create an ACME Directory URL).
    • Make sure to replace FQDN with the fully-qualified domain name you want the certificate to secure. For each FQDN, add an additional -d option.
bash
sudo certbot --apache --register-unsafely-without-email --server “YOUR-ACME-URL” -d FQDN

Below is an example of a complete command to use as a reference. Here is an example of a complete command as a reference.

bash
sudo certbot --apache --register-unsafely-without-email --server “https://acme.digicert.com/v2/acme/directory/u_sBek4aRGO_4RiltJ7Ae_XLXSc9r8FtEdrNZzuTu” -d digicert.com -d www.digicert.com
  1. Enter your CertBot command, customized as needed.

    For additional information about the commands and options used in these instructions, see ACME options.

  1. You will be asked to accept the Terms of Service. Type "A” and press enter.

    Currently, DigiCert doesn't have any additional Terms of Service for the ACME Beta.

If your request includes an FQDN that Cerbot can't find a matching virtual host for, you'll be prompted to select the virtual host you want to install the certificate on.
On Apache, check the Virtual Directory listing for ServerName to match FQDN.

  1. Select whether to redirect HTTP traffic to HTTPS.

    Choosing to redirect disables HTTP access to your website.

  1. When finished, your server displays a success message: “Congratulations! You have successfully enabled your domains…

Congratulations! Your ACME certificate request is complete and the newly issued certificate is installed on your webserver. You can visit your website to confirm installation was successful.

What's next

Your ACME certificate request is complete. The newly issued certificate is installed on your webserver. Visit your website to confirm installation was successful.

You can reuse your ACME Directory URL to make additional certificate requests for the same certificate product and prevalidated organization.

To request certificates for a different product or organization, create a new unique ACME Directory URL for that product or organization. See Create an ACME Directory URL.

ACME options

  • certbot: runs the CertBot executable.
  • certbot-auto: Use in place of certbot when certbot-auto script is installed. You may need to specify the path of certbot-auto if it's not added to your server's PATH configuration.
  • --apache: Specifies the Apache CertBot plugin that will install the certificate for you. Optional.
  • --register-unsafely-without-email: Allows you to skip creating an ACME account. Because your request is already connected to your CertCentral account, this is not needed. Optional.
  • --server “URL: Specifies what ACME server should fulfill your request. Place your ACME Directory URL in double quotations after this option.
  • -d YOURDOMAIN: The fully-qualified domain name included in the certificate. For each FQDN in the certificate, include a –d YOURDOMAIN. If you don't include this option, CertBot will prompt you about the domains you want to include based on your configured virtual hosts. Optional.

A full list of CertBot commands are available through the terminal with certbot –help. Commands are also documented on the CertBot documentation website.

Related topics