Create and manage ACME credentials
Automated Certificate Management Environment (ACME) credentials include an ACME directory URL, a key identifier (KID), and an HMAC key. These credentials authorize a third-party ACME client to request certificates from CertCentral. This procedure generates a set of credentials to configure in the third-party ACME client.
Before you begin
Prevalidate organizations for Organization Validation (OV) or Extended Validation (EV) certificate requests, see Confirm domain and organization readiness.
For ACME requests to process without manual intervention, automatic certificate request approvals must be enabled. See Enable automatic certificate request approvals.
For a Subscription account:
The organization must be validated in the subscription.
The subscription must have unused domains or previously validated domain names for the domains in ACME requests.
To identify your account type:
If the CertCentral menu shows Automation > ACME Directory URLs, the account is Enterprise or Partner.
If the CertCentral menu shows an ACME credentials menu item, the account is a Subscription account.
Add new ACME credentials
For Enterprise and Partner accounts:
In the CertCentral main menu, go to Automation > ACME Directory URLs.
Select Add ACME Directory URL.
Configure the new ACME credentials using the fields in the following table:
Field
Description
Name
Enter a friendly name for this set of credentials.
Product
Select the certificate product to request through these credentials.
Division (If enabled)
Select a division to associate with issued certificates.
Organization
Select the organization for OV or EV certificates.
Multi-year coverage length
For multi-year accounts, select the total order length.
Validity period
Select the validity period for certificates issued through these credentials. For a custom validity length, enter the number of days.
Additional certificate options
Select any additional options, such as the CanSignHttpExchanges extension.
Select Add ACME Directory URL.
In the New ACME Directory URL modal, copy the ACME URL and External Account Binding (EAB) credentials and save them in a secure location.
Important
The ACME URL and EAB credentials are displayed only once. If credentials are lost or suspected to be compromised, revoke them immediately and create new credentials.
Select I understand I will not see this again to dismiss the modal.
For Subscription accounts:
Navigate to the ACME credentials setup using either path:
From the Dashboard or My subscription page, select Request a certificate, then select Automate with ACME.
From the CertCentral main menu, select ACME credentials.
Follow the guided ACME enablement workflow. It consists of three screens:
Screen 1: Certificate settings
Configure the certificate settings.
Warnung
Any new organization must complete validation before DigiCert issues certificates. ACME requests fail until organization validation completes.
Field
Description
Organization
Select the organization for OV or EV certificates. Select Add organization to select an existing organization or add a new one.
Primary contact
Verify the primary organization contact for OV or EV certificates.
Total coverage
For multi-year accounts, select the total coverage length.
Certificate validity
Select 1 year, a custom validity length up to 397 days, or a custom expiration date.
Screen 2: ACME credentials
CertCentral generates credentials using the settings from screen 1. The credentials include:
Wichtig
ACME credentials are displayed only once. If credentials are lost or suspected to be compromised, revoke them immediately and create new credentials.
URL: the address to send certificate requests
KID: identifies the CertCentral account
HMAC key: authenticates and encrypts requests
Use the copy icon next to each credential and save the credentials in a secure location.
Screen 3: Next steps
Screen 3 provides information and links to start using the new ACME credentials.
Manage ACME credentials
From the ACME Directory URLs page (Enterprise and Partner accounts) or the ACME credentials menu (Subscription accounts):
To view the certificate type and settings for a set of credentials, select the tooltip next to the credential name.
To permanently disable a set of credentials, select the Revoke link.
Warnung
Store ACME credentials in a secure location to prevent malicious actors from issuing certificates for your domains. If credentials are lost or suspected to be compromised, revoke them immediately and create new credentials.
ACME credentials for Signed HTTP Exchanges certificates
Use the CertCentral ACME service to get certificates with the Signed HTTP Exchanges extension.
Before you begin
The Signed HTTP Exchange certificate profile option must be enabled for the account.
Each domain must have a CAA DNS record with the
cansignhttpexchanges=yesparameter.The order must include an ECC CSR. The SXG specification requires an ECC keypair. For CSR creation instructions, see ECC CSR creation: Apache or ECC CSR creation: Microsoft Servers.
Add SXG ACME credentials
Follow the standard steps to add the ACME credentials, using the following settings to enable the CanSignHttpExchanges extension in certificates issued through the ACME credentials:
Product: Select an OV or EV certificate product. Currently, the
CanSignHttpExchangesextension is only supported for OV or EV certificates.Validity period: Select Custom length and enter a number from 1 to 90 days.
Additional certificate options: Expand this section and select the checkbox to Include the CanSignHttpExchanges extension in the certificate.
Notice
Certificates with the CanSignHttpExchanges extension have a 90-day maximum validity limit.
After making the selections, select the Add ACME Directory URL button to generate the new ACME credentials. Use the provided URL and EAB credentials to send ACME requests for certificates with the Signed HTTP Exchanges extension and other settings selected.
What's next
Associate ACME credentials with a certificate profile to confirm the profile allows the intended lifecycle actions