Skip to main content

Maintain credential integrity

Protect ACME credentials in accordance with your internal security policies. Compromised or lost credentials can interrupt automated renewal and reissuance workflows.

Always store ACME credentials, particularly the EAB HMAC key, in a secure location to prevent unauthorized certificate issuance for your domains.

Revoke compromised credentials

If ACME credentials are compromised or lost, revoke them immediately:

  1. In the CertCentral menu, go to Automation > ACME Directory URLs.

  2. Locate the compromised credentials.

  3. Select Revoke.

Revoked credentials are permanently disabled and can no longer be used by any ACME client to request certificates.

Generate replacement credentials

After revoking compromised credentials, generate new credentials and update all ACME clients:

  1. Generate new ACME credentials. See Create ACME credentials.

  2. Update the ACME client configuration with the new directory URL and EAB values immediately.

  3. Confirm that subsequent lifecycle actions authenticate successfully.

Notice

Failure to update ACME client configuration after revoking credentials interrupts automated renewal and reissuance workflows until new credentials are applied.

What's next

  • To use a third-party ACME client such as EFF Certbot or Kubernetes cert-manager: Third-party ACME client integration to set up a third-party ACME client with your CertCentral credentials

  • To complete domain control validation and begin automated certificate issuance: Automate certificate issuance using ACME to complete HTTP-01 or DNS-01 challenges and begin automated issuance

In this section: