Skip to main content

Create ACME-based certificate profiles

ACME-based certificate profiles define specific types of certificates you can issue and manage using the ACME protocol. Each profile has associated credentials that ACME clients and ACME-enabled platforms can use to request that type of certificate from DigiCert​​®​​ Trust Lifecycle Manager:

  • ACME Directory URL: URL for requesting certificates from Trust Lifecycle Manager via ACME.

  • Key identifier (KID): Identifies a specific ACME-based profile to issue certificates from.

  • HMAC key: Authenticates the ACME client when creating an account on the ACME server, linking the account to a specific ACME-based certificate profile.

Available base templates

Create an ACME-based certificate profile

To create an ACME-based certificate profile in Trust Lifecycle Manager:

  1. From the Trust Lifecycle Manager menu, go to Policies > Certificate profiles.

  2. Select the Create profile from template button.

  3. Select one of the base templates in the preceding table as the basis for creating the ACME-based profile.

  4. Work through the profile creation wizard, focusing on the ACME-related options described below and making other selections for your business needs. After filling out each screen, select Next to move to the next screen.

    •  Under Primary options:

      • Connector: If the template you selected requires a CA connector, select the specific connector to use.

      • Issuing CA: Select the certificate authority (CA) that will issue the certificates.

      • Enrollment method: Select 3rd-party ACME client.

    • Under Certificate options and Extensions (if applicable), configure certificate properties including validity lengths.

    • Under Additional options and Advanced settings (if applicable), configure email communications settings for certificate lifecycle event notifications, and optional metadata to help identify and manage certificates issued from this profile.

    • Applicable wizard screens and options depend on your starting template and the selections you make on each screen.

  5. On the final wizard screen, select Create to save the new certificate profile and generate the ACME credentials for it. The ACME URL and EAB credentials popup window launches, showing the following fields:

    • ACME Directory URL: Base URL to use for requesting certificates via ACME. For hosted DigiCert ONE accounts, this should be https://one.digicert.com/mpki/api/v1/acme/v2/directory

    • KID: The key identifier associated with your new ACME-based certificate profile.

    • HMAC key: Used to authenticate ACME clients during account creation on the Trust Lifecycle Manager ACME server, linking each ACME account to the specific profile used for issuing certificates.

  6. Copy your unique external account binding (EAB) credentials and store them somewhere safe. You can use the "copy" icon next to each field to copy it into your clipboard or select the Copy all button to copy them all at once.

  7. After copying the new ACME credentials, Close the popup window.

Opmerking

When you create an ACME-based certificate profile, the ACME credentials for it are displayed only once. There is no way to retrieve this information once you have navigated away from it. If you ever lose your ACME credentials, you will need to regenerate the ACME credentials for that profile.

What's next

Use your preferred ACME client to automate certificate management on your web servers, issuing certificates from the ACME-based certificate profiles you created in Trust Lifecycle Manager. To learn more, see Request and manage certificates with ACME.

In deze sectie: