ACME automation actions and URL parameters

Control certificate lifecycle actions for existing orders by appending action parameters to the ACME directory URL. This allows third-party ACME clients to renew, reissue, or duplicate existing certificate orders rather than enrolling new certificates.

Default enrollment behavior

By default, when a third-party ACME client submits a request and no matching order exists, CertCentral treats the request as a new certificate enrollment.

Specify a lifecycle action using URL parameters

To perform a specific lifecycle action on an existing order, append the following parameters to the ACME directory URL:

Parameter	Value	Purpose
`action`	`enroll`	Forces the ACME request to be treated as a new enrollment, regardless of whether a matching existing order is found. Append ?action=enroll to the ACME directory URL.
`action`	`renew`	Renew an existing certificate order
`action`	`reissue`	Reissue an existing certificate order
`action`	`duplicate`	Request a duplicate of an existing certificate
`orderId`	The existing order ID	Identify the order to act on

voorbeeld 1. Example — enroll the ACME directory URL

Use this parameter when CertCentral would otherwise detect an existing order and trigger a renewal or reissue instead of creating a new certificate order.

https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=enroll

voorbeeld 2. Example — renewing an existing certificate:

https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=renew&orderId=555123456

voorbeeld 3. Example — request a duplicate certificate:

https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=duplicate&orderId=555345678

Notice

The certificate profile associated with the ACME credentials must allow the requested action. For example, duplicate requests require the profile to have duplicates enabled.

Auto-detection rules for matching existing orders

When action and orderId parameters are omitted, CertCentral auto-detects the applicable order using the following rules:

The existing order must have been issued through ACME
The product name, common name, and SANs must match the existing order
For wildcard orders: requested domains can be subdomains of an existing order and SANs can be added or removed
For non-wildcard orders: common name and SANs must exactly match the original order
If multiple orders match, CertCentral selects the one with the longest validity and a matching product type
If no matching order is found, the request is treated as a new enrollment

Default actions applied by auto-detection

When CertCentral detects an existing order and no action parameter is specified:

Standard plans: CertCentral renews the certificate if it is within the renewal window
Multi-year plans: CertCentral reissues the certificate to use remaining plan coverage

What's next

To generate ACME credentials and complete domain validation for certificate issuance: Automate certificate issuance using ACME to set up ACME credentials, configure challenge types, and complete domain control validation
To identify unmanaged certificates and bring them under automated lifecycle management: Discover certificates to enable lifecycle automation to identify unmanaged certificates and bring them under automated lifecycle management

In deze sectie: