Sample ACME implementation
This sample shows an ACME implementation using certbot.
Prerequisites
An ACME profile in your DigiCert® Private CA
Certbot
OpenSSL
Initial setup
Install and configure Certbot on the client system where certificate enrollment will be performed.
Register an ACME account
Register an ACME account for DigiCert Private CA. An ACME account is required before you can request, renew, revoke certificates, or manage orders via an ACME client.
STEP 1: Gather the prerequisites
The ACME directory URL
External account binding key identifier
External account binding HMAC key
STEP 2: Run the registration command
certbot register \ --non-interactive \ --agree-tos \ --register-unsafely-without-email \ --no-verify-ssl \ --server "https://<ca-server>/certificate-authority/api/v1/acme/directory" \ --eab-kid "<KID>" \ --eab-hmac-key "<HMAC>"
Where:
--serveris the ACME directory URL from the ACME profile.--eab-kidis the Key identifier from the ACME profile.--eab-hmac-keyis the HMAC key from the ACME profile.
Result:
A new ACME account is created and associated with the provided EAB credentials. The ACME account can now be used to request and manage certificates.
Enroll a client certificate
Enroll a new client certificate using the ACME protocol.
STEP 1: Generate a private key and CSR
Generate a private key and a Certificate Signing Request (CSR) using OpenSSL:
openssl req -new -newkey rsa:2048 -nodes \ -keyout client.key \ -out client.csr \ -subj "/CN=client.example.com"
Where:
-keyoutis the private key file required for your CSR-outis the CSR file which contains your certificate signing request.-subjis the subject common name for your client system.
STEP 2: Run the enrollment command
Replace the placeholders with your actual values:
certbot certonly \ --register-unsafely-without-email \ --standalone \ --no-verify-ssl \ --http-01-port 1983 \ --server "https://<ca-server>/certificate-authority/api/v1/acme/directory" \ --eab-kid "C64FDB72BDA7A46BF76249CDB246BBD7" \ --eab-hmac-key "kXXePK5zM5sE_4xBJ9AQpbbX9FFUOUU3a_pABCyPyXl9" \ --csr client.csr
Where:
--serveris the ACME directory URL from the ACME profile.--eab-kidis the Key identifier from the ACME profile.--eab-hmac-keyis the HMAC key from the ACME profile.--csris the certificate signing request file created in the previous step.
Result:
The issued certificate is generated and saved to the output location configured in Certbot.
Renew a client certificate
Renew an existing client certificate using the ACME protocol.
ACME certificate renewal is performed by submitting a new certificate order using the same ACME account that was used for the original enrollment.
STEP 1: Prepare for revocation
Ensure that you use:
The same ACME directory URL
The same ACME account
A new or updated certificate signing request (CSR)
STEP 2: Run the renewal command
Run the ACME enrollment command again.
certbot certonly \ --non-interactive \ --agree-tos \ --register-unsafely-without-email \ --standalone \ --no-verify-ssl \ --http-01-port 1983 \ --server "https://<ca-server>/certificate-authority/api/v1/acme/directory" \ --csr renewed_client.csr
Where:
--serveris the ACME directory URL from the ACME profile.--csris the updated CSR file.
Result:
A new certificate is issued to replace the existing certificate. The renewed certificate has a new validity period based on the profile configuration.
Revoke a client certificate
Revoke an issued client certificate using the ACME protocol.
STEP 1: Gather the prerequisites:
The certificate to be revoked.
Access to the ACME account used to issue the certificate.
STEP 2: Run the revocation command
certbot revoke \ --non-interactive \ --no-verify-ssl \ --server "https://<ca-server>/certificate-authority/api/v1/acme/directory" \ --cert-path issued_cert.pem
Where:
--serveris the ACME directory URL from the ACME profile.--cert-path is the certificate that requires revocation in PEM format.
Result:
The specified certificate is revoked by DigiCert Private CA.