Skip to main content

Subscription accounts

You need ACME credentials in CertCentral to automate your certificate deployments using third-party ACME clients like Certbot.

Each set of ACME credentials defines a particular type of certificate you can request, including the:

  • Certificate product

  • Organization

  • Division

  • CertCentral order length

  • Certificate validity length

The ACME credentials provide the URL and External Account Binding (EAB) credentials for requesting certificates:

  • Key identifier (KID) to identify your CertCentral account.

  • HMAC key for authentication and encryption.

Notice

Instructions here are specific to CertCentral subscription accounts. If you have a CertCentral Enterprise account or any other type of account that does not include a CertCentral subscription, see: Enterprise and non-subscription accounts

Add ACME credentials

Enable ACME automation for a certificate product in one of two ways:

  • From your Dashboard or My subscription page. When you select the Request a certificate action, you have the option to Automate with ACME.

  • Or, use the ACME credentials function from the CertCentral left main menu. This page lists any existing ACME credentials in your account and provides an Add ACME credentials button to create new ones.

Regardless of how you launch it, the workflow for adding ACME credentials works the same. We ask you some basic questions about the type of certificates you want to automate, generate the ACME credentials for you, and provide some information to help you start using them.

This guided ACME enablement workflow consists of three screens:

  1. Certificate settings: Configure settings to apply to certificates issued through these ACME credentials. Available settings depend on the certificate product and may include:

    • Organization: Select the organization for OV/EV certificates. First select Add organization and then choose one of your existing organizations or add a new one.

      Warning

      Any new organization you add must get validated before DigiCert can issue certificates for it. You will not be able to request certificates via ACME until this organization validation process is completed. If you need help, contact DigiCert Validation Support.

    • Primary contact: Verify the primary organization contact for the selected organization for OV/EV certificates.

    • Total coverage: For multi-year accounts, select the total coverage length for certificates. This provides a cost-effective way to keep a valid certificate installed over a longer time period, using ACME to automate the deployment.

    • Certificate validity: Select how long each individual certificate will remain valid for. You can choose 1 year, a custom validity length (up to 397 days), or set a custom expiration date.

  2. ACME credentials: At this point, we generate your new ACME credentials using the certificate settings you selected on the previous screen. You can use these same credentials on any of your servers where you need to install this type of certificate.

    The credentials include the URL to send certificate requests, the Key identifier (KID) that identifies your CertCentral account, and the HMAC key to use for authentication and encryption.

    Use the copy icon to copy your credentials and save them in safe location.

    This information is required to get certificates from CertCentral via ACME. It only gets displayed once.

  3. Next steps: Finally, we provide some information and resources to help you start using your new ACME credentials. This includes general steps to follow, things to verify in your account, and links for more information.

Manage your ACME credentials

To list and manage any existing ACME credentials in your account, select ACME credentials from the CertCentral left main menu. From this page you can:

  • Select the tooltip next to the ACME credential names for details about the type of certificates you can request through each set of credentials.

  • Use the Revoke links on the right to revoke any of the ACME credentials. When you revoke, the ACME credentials get permanently disabled and can no longer be used by any ACME clients to request certificates.

Warning

Always store your ACME credentials in a secure location to prevent malicious actors from attempting to issue certificates for your domains.

If you ever lose your ACME credentials or suspect they have been compromised, revoke the existing ACME credentials immediately and add new ACME credentials to use.

What's next

To use your ACME credentials to request and automate certificates on your servers, install a third-party ACME client on each server.

In this section: