Skip to main content

ACME automation actions

By default, DigiCert​​®​​ Trust Lifecycle Manager enrolls a new certificate when there’s no existing certificate order matches the ACME automation request.

You can also use a third-party ACME client to manage existing certificates in Trust Lifecycle Manager :

  • Duplicate an existing certificate:  Add the automation action and certificate order ID as query parameters in the ACME URL

    提示

    The certificate profile must allow duplicates.

    Example: https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=duplicate&orderId=555345678

  • Renew or reissue an existing certificate:  Use one of the following two methods:

    • Method 1:  Add the automation action and certificate order ID as query parameters in the ACME URL.

      Example: https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=renew&orderId=555123456

    • Method2:  Omit the automation action and order ID. Trust Lifecycle Manager automatically detects the applicable certificate order and applies the default automation action, as described in the following auto-detection rules.

 

Auto-detection rules for existing certificate orders

When a third-party ACME client sends an automation request, Trust Lifecycle Manager auto-detects the applicable certificate order using the following rules:

  • The primary order must have been issued through ACME.

  • The product name, common name (CN), and subject alternative names (SANs) of the requested certificate must match the existing ACME-based order.

  • For wildcard orders, requested domains can be subdomains of an existing order, and SANs can be added or removed.

  • For non-wildcard orders, CN and SANs must exactly match the original order.

  • If multiple orders match, Trust Lifecycle Manager selects the one with the longest validity and a matching product type from the certificate profile.

  • If no matching order is found, the ACME automation request is treated as a new enrollment.

    To force a request to be treated as a new enrollment append ?action=enroll to the ACME URL.

 

Default ACME automation actions

Upon detecting an existing certificate order, Trust Lifecycle Manager applies the following default actions for a third-party ACME automation request:

  • For standard plans, renew the certificate if it's within the certificate renewal window. Otherwise enroll a new certificate with the same options as the original.

  • For multi-year plans, renew the certificate if it's within the order renewal window. Otherwise reissue (get the next certificate for the order).

注意

For standard certificates, the renewal window opens 32 days before expiration.

For multi-year certificates, the order renewal window opens 90 days before expiration.

本节内容如下: