Skip to main content

ACME automation actions

By default, DigiCert​​®​​ Trust Lifecycle Manager enrolls a new certificate when there is no existing certificate order that matches the ACME automation request.

To manage existing certificates in Trust Lifecycle Manager using a third-party ACME client:

  • To duplicate an existing certificate, add the automation action and certificate order ID number as query parameters to the ACME URL (for example, https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=duplicate&orderId=555345678). The certificate profile must have duplicates enabled.

  • To renew or reissue an existing certificate, use one of the following two methods:

    1. Add the automation action and certificate order ID number as query parameters to the ACME URL (for example, https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=renew&orderId=555123456).

    2. Omit the automation action and order ID number to have Trust Lifecycle Manager auto-detect the applicable certificate order and apply the default automation action for it. See details below.

Auto-detection rules for existing certificate orders

To auto-detect an existing certificate order for a third-party ACME automation request:

  • The primary order needs to have been issued via ACME.

  • The product name, common name (CN), and subject alternative names (SANs) of the requested certificate must match the existing ACME-based order.

    • For wildcard orders, requested domains can be sub-domains of an existing order and SANs can be added or removed.

    • For non-wildcard orders, CN and SANs must exactly match the original order.

    • If there are multiple matches, Trust Lifecycle Manager selects the order with the longest validity and matching product type from the certificate profile.

    • If no matching order is found, the ACME automation request is treated as a new order (enrollment). To force an ACME request to be treated as a new enrollment, append ?action=enroll to the ACME URL.

Default ACME automation actions

Upon successful auto-detection of an existing certificate order, Trust Lifecycle Manager applies the following default actions for a third-party ACME automation request:

  • If it's not a multi-year plan, renew the certificate if it's in the certificate renewal window, otherwise enroll a new certificate with the same options as the original.

  • For multi-year plans, renew the certificate if it's in the order renewal window, otherwise reissue (get next certificate for the order).

Note

The standard renewal window for certificates is 32 days before expiry. For multi-year plans, the standard order renewal window is 90 days before expiry.