Subscription accounts
You need ACME credentials in CertCentral to automate your certificate deployments using third-party ACME clients like Certbot.
Each set of ACME credentials defines a particular type of certificate you can request, including the:
Certificate product
Organization
Division
CertCentral order length
Certificate validity length
The ACME credentials provide the URL and External Account Binding (EAB) credentials for requesting certificates:
Key identifier (KID) to identify your CertCentral account.
HMAC key for authentication and encryption.
Notice
Instructions here are specific to CertCentral subscription accounts. If you have a CertCentral Enterprise account or any other type of account that does not include a CertCentral subscription, see: Enterprise and non-subscription accounts
Before you begin
Before you use ACME to automate certificate management in your subscription, first make sure:
The organization you want to use in your ACME credentials and request certificates for is validated in your subscription.
Your subscription has unused domains or previously validated domain names for each of the domains in your ACME requests.
Check the organization and domains available in your subscription and add if needed. Unavailable organizations or domains will result in delayed or failed ACME requests.
Add ACME credentials
Enable ACME automation for a certificate product in one of two ways:
From your Dashboard or My subscription page. When you select the Request a certificate action, you have the option to Automate with ACME.
Or, use the ACME credentials function from the CertCentral left main menu. This page lists any existing ACME credentials in your account and provides an Add ACME credentials button to create new ones.
Regardless of how you launch it, the workflow for adding ACME credentials works the same. We ask you some basic questions about the type of certificates you want to automate, generate the ACME credentials for you, and provide some information to help you start using them.
This guided ACME enablement workflow consists of three screens:
Certificate settings: Configure settings to apply to certificates issued through these ACME credentials. Available settings depend on the certificate product and may include:
Organization: Select the organization for OV/EV certificates. First select Add organization and then choose one of your existing organizations or add a new one.
Warning
Any new organization you add must get validated before DigiCert can issue certificates for it. You will not be able to request certificates via ACME until this organization validation process is completed. If you need help, contact DigiCert Validation Support.
Primary contact: Verify the primary organization contact for the selected organization for OV/EV certificates.
Total coverage: For multi-year accounts, select the total coverage length for certificates. This provides a cost-effective way to keep a valid certificate installed over a longer time period, using ACME to automate the deployment.
Certificate validity: Select how long each individual certificate will remain valid for. You can choose 1 year, a custom validity length (up to 397 days), or set a custom expiration date.
ACME credentials: At this point, we generate your new ACME credentials using the certificate settings you selected on the previous screen. You can use these same credentials on any of your servers where you need to install this type of certificate.
The credentials include the URL to send certificate requests, the Key identifier (KID) that identifies your CertCentral account, and the HMAC key to use for authentication and encryption.
Use the copy icon to copy your credentials and save them in safe location.
This information is required to get certificates from CertCentral via ACME. It only gets displayed once.
Next steps: Finally, we provide some information and resources to help you start using your new ACME credentials. This includes general steps to follow, things to verify in your account, and links for more information.
Manage your ACME credentials
To list and manage any existing ACME credentials in your account, select ACME credentials from the CertCentral left main menu. From this page you can:
Select the tooltip next to the ACME credential names for details about the type of certificates you can request through each set of credentials.
Use the Revoke links on the right to revoke any of the ACME credentials. When you revoke, the ACME credentials get permanently disabled and can no longer be used by any ACME clients to request certificates.
Warning
Always store your ACME credentials in a secure location to prevent malicious actors from attempting to issue certificates for your domains.
If you ever lose your ACME credentials or suspect they have been compromised, revoke the existing ACME credentials immediately and add new ACME credentials to use.
What's next
To use your ACME credentials to request and automate certificates on your servers, install a third-party ACME client on each server.