Skip to main content

Third-party ACME client integration

CertCentral supports third-party ACME clients such as EFF Certbot and Kubernetes cert-manager as an alternative to the DigiCert native ACME agent. Use third-party ACME clients when the native agent does not fit your deployment model or when your environment already uses an established ACME client.

Notice

Third-party ACME clients have the following limitations compared to the native DigiCert ACME agent:

  • No support for proprietary network appliances such as load balancers

  • No automated software updates: each client must be maintained manually

  • No centralized management: automation events must be initiated locally on each client

  • May require additional network and firewall changes

DigiCert recommends third-party ACME clients only for:

  • Smaller deployments where centralized management is not required

  • Clients such as Kubernetes cert-manager that natively support high-volume automations from a centralized location

  • Automating Signed HTTP Exchange (SXG) certificates with ECC keys and the CanSignHttpExchanges extension. For details on SXG certificates and ACME automation, see Get your Signed HTTP Exchange certificates topic.

ACME automation workflow overview

To automate certificate deployments using a third-party ACME client, follow this general three-step workflow:

  1. Generate ACME credentials in CertCentral

    Set up ACME credentials for each certificate type you want to request and deploy. This provides the ACME directory URL and External Account Binding (EAB) credentials needed to authenticate with DigiCert. See Create and manage ACME credentials for detailed instructions.

  2. Install a third-party ACME client on your servers

    Download and configure your preferred ACMEv2-compliant client (such as Certbot or win-acme) on each server where you want to automate certificates. See Set up a third-party ACME client for detailed instructions.

  3. Request and manage certificates using ACME

    Use your installed ACME client to request new certificates, renew existing ones, reissue for updated domains, or duplicate across servers. The ACME client automatically contacts DigiCert, validates domains, and installs the certificate on your host. See the procedure topics with Certbot, Ansible, and Kubernetes cert-manager.

Additional related topics

In diesem Abschnitt: