Skip to main content

ACME Directory URLs for Signed HTTP Exchange certificates

Generate a unique ACME Directory URL for your Signed HTTP Exchange certificate in your CertCentral account. You'll need the "Signed HTTP Exchange" ACME Directory URL in your Certbot certificate request command.

Before your begin

Before creating the ACME Directory URL for your Signed HTTP Exchange certificate, make sure these prerequisites are met:

  • Domain's CAA resource record is set up properly

  • Signed HTTP Exchange certificate profile option is enabled for your account

For more information:

Create an ACME Directory URL for Signed HTTP Exchange certificates

  1. In your CertCentral account, in the left main menu, select Automation > ACME Directory URLs.

  2. On the ACME Directory URLs page, select Add ACME Directory URL.

  3. In the Add ACME Directory URL popup window, enter an easily identifiable Name for this URL.

  4. In the Product dropdown, select the OV or EV TLS/SSL certificate type you want to issue with the CanSignHttpExchanges extension.

    Note

    Currently, the CanSignHttpExchanges extension can only be included in OV and EV TLS/SSL certificates.

  5. In the Division dropdown, select a division to associate with certificates issued from this ACME Directory URL.

  6. In the Organization dropdown, select the prevalidated Organization for the issued certificates.

  7. Under Validity period, select Custom length. In the Days box, enter a number from 1 to 90.

    Note

    Per industry standards, certificates that include the Signed HTTP Exchange extension have a 90-day maximum validity limit.

  8. Expand Additional Certificate Options. Under Certificate profile options, select Include the CanSignHttpExchanges extension in the certificate.

  9. Select Add ACME Directory URL.

  10. In the New ACME Directory URL popup window, copy your unique ACME URL along with the external account binding information, and save it. Use this URL to request your certificate using your ACME client.

    This information is required for your ACME client to procure certificates from CertCentral. It only gets displayed once.

    After copying and saving it somewhere safe, select I understand I will not see this again to dismiss it.

    Important

    When you generate an ACME Directory URL, it is displayed only once. There is no way to retrieve a lost ACME URL. If you ever lose an ACME URL, you need to revoke the lost URL and generate a new one.

What's next?

Your new ACME Directory URL is added to the list of URLs on the ACME Directory URLs page (in the sidebar menu, select Automation > ACME Directory URLs).

For details about certificates you can order via the ACME Directory URL, select the information icon next to the URL Description.

Notice

Before using your ACME client to order your TLS/SSL certificate with the CanSignHttpExchanges extension, make sure you've set up your domain's CAA resource record. You also need to create an ECC CSR for your "Signed HTTP Exchange" certificate order.