Skip to main content

Sample ACME implementation

This sample shows an ACME implementation using certbot.

Prerequisites

  • An ACME profile in your DigiCert® Private CA

  • Certbot

  • OpenSSL

Initial setup

Install and configure Certbot on the client system where certificate enrollment will be performed.

Register an ACME account

Register an ACME account for DigiCert Private CA. An ACME account is required before you can request, renew, revoke certificates, or manage orders via an ACME client.

STEP 1: Gather the prerequisites

  • The ACME directory URL

  • External account binding key identifier

  • External account binding HMAC key

STEP 2: Run the registration command

certbot register \
  --non-interactive \
  --agree-tos \
  --register-unsafely-without-email \
  --no-verify-ssl \
  --server "https://<ca-server>/certificate-authority/api/v1/acme/directory" \
  --eab-kid "<KID>" \
  --eab-hmac-key "<HMAC>"

Where:

  • --server is the ACME directory URL from the ACME profile.

  • --eab-kid is the Key identifier from the ACME profile.

  • --eab-hmac-key is the HMAC key from the ACME profile.

Result:

A new ACME account is created and associated with the provided EAB credentials. The ACME account can now be used to request and manage certificates.

Enroll a client certificate

Enroll a new client certificate using the ACME protocol.

STEP 1: Generate a private key and CSR

Generate a private key and a Certificate Signing Request (CSR) using OpenSSL:

openssl req -new -newkey rsa:2048 -nodes \
  -keyout client.key \
  -out client.csr \
  -subj "/CN=client.example.com"

Where:

  • -keyout is the private key file required for your CSR

  • -out is the CSR file which contains your certificate signing request.

  • -subj is the subject common name for your client system.

STEP 2: Run the enrollment command

Replace the placeholders with your actual values:

certbot certonly \
  --register-unsafely-without-email \
  --standalone \
  --no-verify-ssl \
  --http-01-port 1983 \
  --server "https://<ca-server>/certificate-authority/api/v1/acme/directory" \
  --eab-kid "C64FDB72BDA7A46BF76249CDB246BBD7" \
  --eab-hmac-key "kXXePK5zM5sE_4xBJ9AQpbbX9FFUOUU3a_pABCyPyXl9" \
  --csr client.csr

Where:

  • --server is the ACME directory URL from the ACME profile.

  • --eab-kid is the Key identifier from the ACME profile.

  • --eab-hmac-key is the HMAC key from the ACME profile.

  • --csr is the certificate signing request file created in the previous step.

Result:

The issued certificate is generated and saved to the output location configured in Certbot.

Renew a client certificate

Renew an existing client certificate using the ACME protocol.

ACME certificate renewal is performed by submitting a new certificate order using the same ACME account that was used for the original enrollment.

STEP 1: Prepare for renewal

Ensure that you use:

  • The same ACME directory URL

  • The same ACME account

  • A new or updated certificate signing request (CSR)

STEP 2: Run the renewal command

Run the ACME enrollment command again.

certbot certonly \
  --non-interactive \
  --agree-tos \
  --register-unsafely-without-email \
  --standalone \
  --no-verify-ssl \
  --http-01-port 1983 \
  --server "https://<ca-server>/certificate-authority/api/v1/acme/directory" \
  --csr renewed_client.csr

Where:

  • --server is the ACME directory URL from the ACME profile.

  • --csr is the updated CSR file.

Result:

A new certificate is issued to replace the existing certificate. The renewed certificate has a new validity period based on the profile configuration.

Renew a client certificate using ACME Renewal Information (ARI)

DigiCert Private CA supports ACME Renewal Information (ARI) as part of the ACME renewal workflow.

If your ACME client supports ARI, it automatically retrieves renewal information from DigiCert Private CA (the ACME server). No additional flags or configuration are required.

STEP 1: Gather the prerequisites

  • The ACME directory URL for your ACME profile

  • An active ACME account associated with that profile

  • An existing ACME-issued certificate enrolled using DigiCert Private CA

  • An ACME client configured to use the same account and configuration directories used during enrollment

STEP 2: Run the standard ACME renewal command

The client uses renewal information provided by the ACME profile in DigiCert Private CA to decide when to initiate renewal.

certbot renew \
  --non-interactive \
  --no-verify-ssl \
  --http-01-port 1983 \
  --server "https://<ca-server>/certificate-authority/api/v1/acme/directory" \
  --config-dir "./acme-config" \
  --work-dir "./acme-work" \
  --logs-dir "./acme-logs"

Where:

  • --server is the ACME directory URL from the ACME profile.

  • The command uses the same ACME account created during initial enrollment.

  • Certificate and account metadata stored in the configuration directory are reused.

Results:

  • A new ACME order is created.

  • A new certificate is issued to replace the existing certificate.

  • The renewed certificate has a new validity period.

  • The existing certificate remains valid until it expire

Revoke a client certificate

Revoke an issued client certificate using the ACME protocol.

STEP 1: Gather the prerequisites:

  • The certificate to be revoked.

  • Access to the ACME account used to issue the certificate.

STEP 2: Run the revocation command

certbot revoke \
  --non-interactive \
  --no-verify-ssl \
  --server "https://<ca-server>/certificate-authority/api/v1/acme/directory" \
  --cert-path issued_cert.pem

Where:

  • --server is the ACME directory URL from the ACME profile.

  • --cert-path is the certificate that requires revocation in PEM format.

Result:

The specified certificate is revoked by DigiCert Private CA.

: