Skip to main content

CertCentral managed deployment options

CertCentral managed automation supports three deployment scenarios. Select the option that matches your environment and infrastructure.

ACME agent-based automation

Choose this option if:

  • You want scalable and centralized management in CertCentral

  • You want easy installation and configuration with a built-in ACME client

  • You need flexibility to use with custom applications

  • You need automatic validation that the certificate was received and installed

  • You need API integration for custom workflows

Use the ACME agent for standard hosts such as web servers. The ACME agent is a lightweight piece of software installed directly on each certificate host. It uses the industry-standard ACME protocol to manage certificates on the host.

The ACME agent:

  • Supports Microsoft IIS, Apache HTTP Server, Apache Tomcat, Nginx, and IBM HTTP Server

  • Uses a pull communications model with no firewall changes required.

  • Keeps itself up to date automatically after installation

  • Can connect through a DigiCert sensor as proxy for hosts that cannot connect directly

Each host requires a separate ACME agent installation.

Sensor-based automation

Use the sensor for proprietary network appliances such as load balancers. The sensor is installed on a dedicated host on the network and uses API calls to remotely manage certificates on one or more appliances. It is not possible to install the ACME agent directly on a network appliance.

The sensor:

  • Supports F5 BIG-IP LTM, Citrix ADC, A10, Amazon ELB, and CloudFront

  • Can manage multiple appliances from a single installation

  • Can act as a proxy for ACME agents to provide automation failover

  • Keeps itself up to date automatically after installation

The same sensor and agent software used for automation is also used by the Discovery service. If sensors or agents are already installed for Discovery, they can be reused for automation.

Third-party ACME client automation

Choose this option if:

  • You already have an ACME client such as Certbot installed and configured

  • Your deployment scale is limited and you can manage endpoints one by one

  • You prefer to initiate automation actions locally on each certificate host

  • You need to automate certificates from the local command-line interface (CLI)

Use a third-party ACME client such as EFF Certbot or Kubernetes cert-manager instead of the DigiCert native ACME agent. Third-party ACME clients must be downloaded and installed separately on each host.

Notice

Third-party ACME clients have the following limitations compared to the native ACME agent:

  • No support for proprietary network appliances such as load balancers

  • No automated software updates. Each client must be maintained manually

  • No centralized management. Automation events must be initiated locally on each client

  • May require additional network and firewall changes

DigiCert recommends third-party ACME clients only for smaller deployments or for clients such as Kubernetes cert-manager that natively support high-volume automations from a centralized location.

A complete automation deployment typically involves a mix of ACME agents on standard hosts and sensors managing network appliances.

Related topics

Automate certificate lifecycle using the DigiCert API for custom integrations using API calls instead of the managed automation workflow

What's next

Review CertCentral automation menus to understand the automation interface before beginning setup

En esta sección: