Set up a third-party ACME client
Configure a third-party ACME client to request and manage certificates from CertCentral. Third-party ACME clients must be downloaded and installed separately on each host outside of CertCentral.
Before you begin
ACME credentials must be generated in CertCentral before configuring the third-party client. See Create and manage ACME credentials.
The third-party ACME client must be installed on each host where certificate automation will run.
Connect outbound to HTTPS (port 443) on the following DigiCert hosts:
one.digicert.com(USA region)one.nl.digicert.com(Europe region)
Resolve fully qualified domain names (FQDNs) for your servers, either via DNS or through a local "hosts" file.
For Enterprise and Partner accounts, confirm which division the ACME credentials are associated with.
Prevalidate organizations for any OV/EV certificate products you want to manage through ACME.
주의
ACME requests for OV/EV certificates fail when the organization is not validated. The certificate must then be downloaded and installed manually. Verify that the OV/EV product appears in the Validated for column on the Certificates > Organizations page before requesting that type of certificate through ACME. Contact DigiCert Validation Support if you need help validating your organization.
Enable automatic certificate request approvals (Applicable only for Enterprise/non-subscription accounts only. Subscription accounts do not require this setting).
By default, ACME requests will fail if automatic approvals are not enabled. See Enable automatic certificate request approvals for instructions.
Notice
For Enterprise, Partner, and Legacy accounts, ACME credentials are managed at Automation > ACME Directory URLs.
For Subscription accounts, ACME credentials are managed at Automation > ACME.
Domain validation
Domain validation behavior depends on the certificate type and whether the domain is prevalidated in CertCentral:
주의
Domain validation for OV/EV certificates works differently when using ACME credentials created before January 30, 2024. For details, see Use legacy CertCentral ACME credentials.
For DV certificates, CertCentral always performs domain control validation checks dynamically through the ACME protocol.
For OV/EV certificates with a prevalidated domain, CertCentral performs domain validation checks out-of-band and independent of the ACME protocol.
For OV/EV certificates with a domain that is not prevalidated, CertCentral performs domain control validation checks dynamically through the ACME protocol.
Configure the third-party ACME client
The general configuration workflow for any supported third-party ACME client is as follows:
Install the third-party ACME client software on the host. Use any ACMEv2-compliant client such as Certbot or win-acme.
Configure the client with the following values from CertCentral: The regional ACME directory URL
The External Account Binding (EAB) key identifier (KID)
The External Account Binding (EAB) HMAC key
Configure the client to request the appropriate challenge type (HTTP-01 or DNS-01).
Initiate a certificate request through the client.
For client-specific installation and configuration instructions, refer to the software provider's documentation.
Configure Certbot for CertCentral
Use the following Certbot command syntax to request a certificate from CertCentral:
sudo certbot --apache \ --register-unsafely-without-email \ --eab-kid=YOUR-KEY-IDENTIFIER \ --eab-hmac-key=YOUR-HMAC-KEY \ --server "YOUR-ACME-DIRECTORY-URL" \ -d YOURDOMAIN.COM
Replace YOUR-KEY-IDENTIFIER, YOUR-HMAC-KEY, YOUR-ACME-DIRECTORY-URL, and YOURDOMAIN.COM with the values from your CertCentral account.
Notice
The example above applies to OV/EV certificates with prevalidated domains. For DV certificates or OV/EV certificates with domains that are not prevalidated, see Issue and install a certificate for Apache using HTTP-01 and Issue and install a certificate for NGINX using DNS-01.
What's next
Review ACME automation actions and URL parameters to manage existing certificate orders including renewal, reissuance, and duplication through the ACME client