Skip to main content

Enterprise and non-subscription accounts

You need ACME credentials in CertCentral to automate your certificate deployments using third-party ACME clients like Certbot.

Each set of ACME credentials defines a particular type of certificate you can request, including the:

  • Certificate product

  • Organization

  • Division

  • CertCentral order length

  • Certificate validity length

  • Certificate extensions and other options

The ACME credentials provide the URL and External Account Binding (EAB) credentials for requesting certificates:

  • Key identifier (KID) to identify your CertCentral account.

  • HMAC key for authentication and encryption.

Note

Instructions here are specific to CertCentral Enterprise accounts or any other type of account that does not include a CertCentral subscription. If you have an active CertCentral subscription, see: Subscription accounts

Add ACME credentials

Follow these steps to add a new set of ACME credentials in CertCentral.

  1. In your CertCentral account, in the left main menu, select Automation > ACME Directory URLs.

  2. Select the option to Add ACME Directory URL at top.

  3. Fill out the modal to configure the new ACME credentials, as described below. Options vary by your account settings and the certificate product you select.

    • Name: Enter a friendly name for this set of credentials.

    • Product: Select the certificate product you want to request through these credentials.

    • Division: Select a division to associate with issued certificates.

    • Organization: Select the organization for OV/EV certificates.

    • Multi-year coverage length: For multi-year accounts, select the total order length.

    • Validity period: Select the validity period for certificates issued through these credentials. If you opt for a custom validity length, enter the number of days certificates should remain valid for.

    • Additional certificate options: Select any additional options for the certificates, such as the CanSignHttpExchanges extension.

  4. When you're ready, select the Add ACME Directory URL button at bottom to generate the new ACME credentials for your selected certificate options.

  5. In the New ACME Directory URL modal that comes up, copy the unique ACME URL and External Account Binding (EAB) credentials, and save them in a secure location. This information is required for your ACME client to get certificates from CertCentral. It only gets displayed once.

    After copying and saving somewhere, select I understand I will not see this again to dismiss the modal.

Warning

If you ever lose your ACME credentials or suspect they have been compromised, you should revoke them right away for security reasons. See Manage your ACME credentials below for more information.

ACME credentials for Signed HTTP Exchanges certificates

You can use the CertCentral ACME service to get certificates with the Signed HTTP Exchanges extension.

Before you begin

  • The Signed HTTP Exchange certificate profile option must be enabled for your account.

  • Each domain must have a CAA DNS record with the cansignhttpexchanges=yes parameter.

ACME settings

Follow the standard steps to add the ACME credentials, using the following settings to enable the CanSignHttpExchanges extension in certificates issued through the ACME credentials:

  • Product: Select an OV or EV certificate product. Currently, the CanSignHttpExchanges extension is only supported for OV or EV certificates.

  • Validity period: Select Custom length and enter a number from 1 to 90 days. Certificates with the CanSignHttpExchanges extension have a 90-day maximum validity limit.

  • Additional certificate options: Expand this section and select the checkbox to Include the CanSignHttpExchanges extension in the certificate.

After making your selections, select the Add ACME Directory URL button to generate the new ACME credentials. Use the provided URL and EAB credentials to send ACME requests for certificates with the Signed HTTP Exchanges extension and other settings you selected.

Manage your ACME credentials

The ACME Directory URLs page in CertCentral lists all the existing ACME credentials in your account. From here you can:

  • Select the tooltip next to the ACME credential names for details about the type of certificates you can request through each set of credentials.

  • Use the Revoke links on the right to revoke any of the ACME credentials. When you revoke, the ACME credentials get permanently disabled and can no longer be used by any ACME clients to request certificates.

Warning

Always store your ACME credentials in a secure location to prevent malicious actors from attempting to issue certificates for your domains.

If you ever lose your ACME credentials or suspect they have been compromised, revoke the existing ACME credentials immediately and add new ACME credentials to use.

What's next

To use your ACME credentials to request and automate certificates on your servers, install a third-party ACME client on each server.