Use legacy CertCentral ACME credentials

On January 30, 2024, DigiCert released an updated CertCentral ACME service. ACME credentials created before this date do not support the following features:

ACME-based automation for DV certificates
Dynamic domain control validation checks via the ACME protocol
Automatic certificate action selection (enroll, renew, reissue, duplicate)

As a best practice, replace any legacy ACME credentials with new credentials to access these features.

주의

When you request certificates using legacy ACME credentials, CertCentral handles all domain validation checks out-of-band and independent of the ACME protocol. The FQDN must be prevalidated in CertCentral and within the allowed reuse period. No authorization is performed by the ACME protocol itself during an automation event.

Replace your legacy ACME credentials

Legacy ACME credentials appear with a warning icon next to the Status column on the ACME Directory URLs page. A banner message appears above the table when your account contains legacy credentials.

On the ACME Directory URLs page, select the tooltip next to the Description column to verify the certificate product and settings for the legacy credentials.
Create ACME credentials for the same certificate product and settings.
Set up a third-party ACME client to use the new credentials.

Certbot examples for legacy credentials

To continue using legacy ACME credentials, make sure both the organization and domain are prevalidated in CertCentral. Contact DigiCert Validation Support if you need help.

For certificate actions other than new enrollments, append the order ID and action to the ACME URL as shown in the examples below.

Issue and install a certificate

On your web server, open a terminal session using SSH.

At the terminal prompt, enter the following command. Replace the placeholders as described below:

sudo certbot --apache \
     --register-unsafely-without-email \
     --eab-kid={YOUR-KEY-IDENTIFIER} \
     --eab-hmac-key={YOUR-HMAC-KEY} \
     --server "YOUR-ACME-URL" \
     -d FQDN

Replace the placeholders with the following values:

Placeholder	Replace with
`{YOUR-KEY-IDENTIFIER}`	The EAB key identifier (KID) from your ACME credentials
`{YOUR-HMAC-KEY}`	The EAB HMAC key from your CertCentral ACME credentials
`{YOUR-ACME-URL}`	The ACME directory URL from your CertCentral ACME credentials
`{FQDN}`	The fully qualified domain name to secure. Add an additional `-d` option for each FQDN. The first FQDN specified is used as the common name (CN)

Accept the Terms of Service when prompted. Enter A. If the request includes an FQDN that Certbot cannot find a matching virtual host for, select the virtual host to install the certificate on. On Apache, check ServerName in the Virtual Directory listing to match the FQDN.
```
_acme-challenge.example.com. 300 IN TXT "mJ9ffxp9pX...f0EDcZZ_klG5wWD1"
```
Select whether to redirect HTTP traffic to HTTPS. Redirecting disables HTTP access to your website.
CertCentral validates the domains and issues the certificate. Certbot installs the certificate on your web server. Visit your website to confirm the certificate is in place.
Notice
ACME error codes: ACME returns the same errors as those returned in the CertCentral API. For a list of error codes, see Errors.

Renew or reissue a certificate

Renew a certificate when it has expired or is due for renewal. Reissue a certificate when it is missing or has been revoked.

Append orderId and action to the ACME URL:

Renew example:

sudo certbot --apache --register-unsafely-without-email \
  --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g \
  --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA \
  --server "https://acme.digicert.com/v2/acme/directory/?orderId=57718329&action=renew" \
  -d digicert.com -d www.digicert.com

Reissue example:

sudo certbot --apache --register-unsafely-without-email \
  --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g \
  --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA \
  --server "https://acme.digicert.com/v2/acme/directory/?orderId=57718329&action=reissue" \
  -d digicert.com -d www.digicert.com

Notice

For multi-year plan accounts: renew a certificate when the order coverage is expiring. Reissue a certificate when it has been revoked or is expiring within the order coverage period.

Issue a duplicate certificate

Issue a duplicate certificate to install the same certificate across multiple servers. Duplicate certificates do not require DigiCert to revoke previous copies.

Duplicate example:

sudo certbot --apache --register-unsafely-without-email \
  --eab-kid=zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g \
  --eab-hmac-key=RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnRA \
  --server "https://acme.digicert.com/v2/acme/directory/?orderId=57718329&action=duplicate" \
  -d digicert.com -d www.digicert.com

Certbot command options

Option	Description
`--apache`	Specifies the Apache Certbot plugin to install the certificate. Optional
`--register-unsafely-without-email`	Skips creating an ACME account. Not required because the request connects to your CertCentral account. Optional
`--server "URL"`	Specifies the ACME server to fulfill the request. Place the ACME directory URL in double quotation marks
`--eab-kid=YOURKID`	The key identifier, part of the common URL
`--eab-hmac-key=YOURHMACKEY`	The key used to sign the response
`-d YOURDOMAIN`	The FQDN to include in the certificate. Add one `-d` option for each FQDN. Optional, if omitted, Certbot prompts based on configured virtual hosts
`orderId "YOURORDERID"`	The order ID of the existing certificate
`action "YOURACTION"`	The action to perform on the certificate

For a full list of Certbot options, run certbot --help or see the Certbot documentation.

What's next

ACME automation actions and URL parameters to control certificate lifecycle actions for existing orders using URL parameters

이 섹션의 내용: