Skip to main content

Use a third-party ACME client for host automations

With CertCentral, you can use your preferred third-party ACME client to automate certificate deployments and reduce your TLS administration overhead.

CertCentral's ACME implementation lets you automate both public and private OV and EV certificates for short validity or multi-year deployments. CertCentral also supports the Signed HTTP Exchange certificate profile option, so you can automate your Signed HTTP Exchange certificate deployments (see ACME Directory URLs for Signed HTTP Exchange certificates).

Comparison with CertCentral managed automation

Managed automation is CertCentral's turnkey automation solution. It lets you manage all your automations from the CertCentral web console and includes features to ensure that ACME and other software components are always kept updated.

When you use a third-party ACME client, you are working outside of the managed automation solution. You obtain basic credentials from CertCentral to procure certificates, but you must install and maintain your own ACME software and initiate automation actions locally on each of your systems.

Notice

To use the CertCentral managed automation solution, you must have it enabled for your account. If managed automation is not enabled, you will only see ACME Directory URLs and API Keys listed under the CertCentral Automation menu.

For third-party ACME clients, you will use the ACME Directory URLs function to configure automation options and obtain the credentials needed to procure DigiCert certificates.

Before you begin

CertCentral supports ACME for immediate issuance of OV and EV certificates only. Make sure these prerequisites are met:

Warning

CertCentral handles all validation checks itself, independent of the ACME protocol. The FQDN must be prevalidated in the CertCentral platform and be active and within the validation reuse period.

During an ACME automation event, no authorization is performed by the ACME protocol itself even though requested. All authorization checks are performed out of band by CertCentral's enterprise registration authority (RA) services.

Workflow

The following is the general workflow needed to automate DigiCert certificates with a third-party ACME client:

  1. Install the third-party ACME client software

    Download the ACME software from the third-party provider and install it on any systems that will act as automation clients.

  2. Configure the third-party ACME clients

    Follow the third-party provider's guidelines to configure the installed ACME software on each system.

  3. Create one or more ACME Directory URLs

    Define the allowed third-party ACME automations from the CertCentral ACME Directory URLs menu.

  4. Initiate automation events

    Finally, follow the third-party provider's guidelines and use the credentials obtained from the ACME Directory URLs menu to initiate certificate automation events on the ACME clients.

Install the third-party ACME client software

You can use any third-party automation client that supports the industry standard ACME protocol to procure certificates from CertCentral. For example, see EFF's Certbot.

Follow the software provider's guidelines to download and install the third-party ACME client. For example, the EFF provides an installation guide for their Certbot software.

You must install the ACME client software separately on each system that will run certificate automations.

Configure the third-party ACME clients

Configure the third-party ACME client software separately on each system that will run automations.

Follow the software provider's guidelines to determine the required configuration parameters. Make sure each ACME client can:

  • Connect outbound to HTTPS (port 443).

  • Connect outbound to the public IP address 216.168.244.42 (for acme.digicert.com).

  • Resolve fully qualified domain names (FQDNs) for the local server, either via DNS or a local "hosts" file.

Create one or more ACME Directory URLs

Use the CertCentral ACME Directory URLs function to configure automation options and obtain the credentials needed for your preferred ACME client to communicate with the DigiCert cloud:

  1. In your CertCentral account, in the left main menu, select Automation > ACME Directory URLs.

  2. From the ACME Directory URLs view, select Add ACME Directory URL.

  3. In the Add ACME Directory URL popup window, enter an easily identifiable Name for the URL.

  4. In the Product dropdown, select the certificate type you want to issue.

  5. In the Division dropdown, select a division to associate with certificates issued from this ACME Directory URL.

  6. In the Organization dropdown, select the prevalidated organization for the issued certificates.

  7. Select the Validity period for certificates issued from this ACME Directory URL:

    • For multi-year accounts only, first select your Multi-year coverage length from the dropdown.

    • Select the desired certificate Validity period option.

    • For a Custom length validity period, enter the desired number of Days.

  8. (Optional) To enable the Signed HTTP Exchange certificate profile option, expand Additional certificate options and select Include the CanSignHttpExchanges extension in the certificate. For more details about this option, see ACME Directory URLs for Signed HTTP Exchange certificates.

  9. Select Add ACME Directory URL.

  10. In the New ACME Directory URL popup window, copy your unique ACME URL along with the external account binding information, and save it.

    This information is required for your ACME client to procure certificates from CertCentral. It only gets displayed once.

    After copying and saving it somewhere safe, select I understand I will not see this again to dismiss it.

Your new ACME Directory URL is added to the list of URLs on the ACME Directory URLs page:

  • For details about certificates issued via the ACME URL, select the information icon next to the URL Description.

  • To revoke the ACME URL credentials, select the Revoke link on the right.

Warning

Store your ACME URL credentials in a secure location to prevent malicious actors from issuing certificates for your prevalidated domains.

If you ever lose your ACME URL credentials or suspect they have been compromised, revoke the existing ACME URL immediately and then create a new ACME URL to use.

When you revoke an ACME URL, the old credentials get permanently disabled and can no longer be used by any ACME clients to request certificates.

Initiate automation events

With your preferred third-party ACME client installed and configured, and an ACME Directory URL defined for it in CertCentral, you are ready to begin using the ACME client to procure DigiCert certificates.

For third-party ACME clients, automation actions must be initiated locally on each system. Follow the software provider's guidelines and use the credentials obtained from the ACME Directory URL that you set up in CertCentral.

For examples of initiating automation actions with the EFF Certbot client, see Automation examples with third-party ACME clients.