The ACME Protocol (Automated Certificate Management Environment) automates the issuing and validating domain ownership, thereby enabling the seamless deployment of public key infrastructure with no need for manual intervention. Crafted by the Internet Security Research Group (ISRG) specifically for the Let’s Encrypt service, its purpose is to streamline the management of certificates.
How Does the ACME Certificate Management Protocol Work?
ACME is your go-to for snagging Domain Validated (DV) certificates. Think of DV certificates as your website’s ID card that doesn’t dive into who’s behind the site but confirms it’s legit through a domain registry check. On the flip side, Organization Validated (OV) certificates are like background checks for your business, making sure you are who you say you are by matching you up with a business registry. And for those wanting the gold standard, Extended Validation (EV) certificates are the top-tier, offering the most thorough vetting process to showcase an organization’s credibility.
It’s worth mentioning that ACME isn’t just for basic certificates; it can also help secure more advanced ones. However, when going for these higher-tier certificates, there are additional processes that run parallel to the ACME protocol’s operations. The main goal of ACME is to streamline the setup of an HTTPS server by enabling it to automatically acquire a certificate trusted by web browsers, all without needing someone to manually handle the process. This magic happens through a certificate management agent installed on the web server.
In the world of ACME, there are two key players: the ACME client and the ACME server. The client leverages this protocol to carry out various certificate management tasks, like getting new certificates or canceling existing ones. This client software can operate on any server that needs trustworthy TLS/SSL certificates. The server, which is hosted by a certificate authority, handles requests from the client, executing the necessary actions once it verifies the client’s authorization. Their interaction hinges on the exchange of JSON messages over a secure HTTPS connection.
ACME Client Configurations
Choosing the right client for ACME is crucial. The market offers a plethora of ACME client implementations, covering nearly all languages and environments. Moreover, the protocol is open, meaning no certificate authority (CA) has exclusive rights to a specific client. This openness ensures users have the freedom to select from any CA that accommodates the protocol. Among these, the Electronic Frontier Foundation’s Certbot stands out as the most popular choice.
Once you have chosen the desired client, and you have installed it on your server, you will have to configure it. The procedure is fairly straightforward and requires no more than 10 minutes.
- The client prompts you to input the domain it’s going to manage.
- You’re presented with a selection of Certificate Authorities (CAs) compatible with the ACME protocol.
- After picking a CA, the client reaches out to it and creates a pair of authorization keys.
- The CA sets forth challenges (either DNS or HTTPS) that require the agent to perform tasks proving domain control. These challenges serve as the CA’s way to confirm the agent’s authority over the domain.
- Alongside these challenges, the CA sends out a nonce, a unique, randomly generated number. The agent needs to sign this nonce with the newly created private key as proof of key ownership.
After obtaining an authorized key pair, the process of requesting, renewing, and revoking certificates becomes straightforward—simply dispatch messages for certificate management and authenticate them using the authorized key pair. The procedures to issue or renew a certificate include the following steps:
- The agent creates a PKCS#10 Certificate Signing Request (CSR) to request a certificate from the CA for the approved domain, including a specific public key.
- The CSR is signed with the private key that matches the public key specified in the request.
- Additionally, the agent signs the entire CSR using the domain’s authorized key to confirm its authorization to the CA.
- Upon receiving the CSR, the CA checks both signatures. If all is in order, it issues a certificate for the approved domain, incorporating the public key provided in the CSR, and sends it back to the agent.
Revoking a certificate follows a comparable process. The agent authenticates a revocation request by signing it with the domain’s authorized key pair. The CA then checks to ensure the request is valid. Once verified, it distributes the revocation details through standard channels, like OCSP, alerting parties like web browsers not to trust the revoked certificate anymore.
Benefits and Uses of ACME Protocol
In essence, ACME streamlines the process by automatically verifying your website’s ownership with the CA, securing a certificate trusted by browsers, installing it on your server, monitoring its expiration timeline, and renewing it as needed, as well as facilitating its revocation when required. The central theme here is “automation”—the groundbreaking change ACME introduces to the world of Public Key Infrastructure (PKI), enabling a more efficient management of certificates. It allows for an “extensible framework for automating the issuance and domain validation procedure, thereby allowing servers and infrastructure software to obtain certificates without user interaction. Use of this protocol should radically simplify the deployment of HTTPS and the practicality of PKIX-based authentication for other protocols based on TLS.”
Furthermore, ACME simplifies the task of selecting an alternative CA considerably. Putting it in simpler terms, ACME:
- Offers its services for free, enabling domain owners to secure a trusted certificate without any expenses,
- Automates the entire certificate lifecycle management process,
- Promotes top- notch TLS security measures, aiding both CAs and website administrators in enhancing server security,
- Stands as an open standard available for widespread adoption, and
- Represents a collaborative initiative aimed at serving the community, not governed by any single entity.
Setting up ACME Protocol
Setting up the ACME protocol is easy and involves merely preparing the client and then deploying it on the server that will host the PKI certificates.
- The client prompts for the domain name to be managed
- A selection of certificate authorities (CAs) compatible with the protocol is provided by the client
- Upon choosing a CA, the client proceeds to create a pair of private keys
- The chosen CA then sets forth either DNS or HTTPS challenges to verify the user’s identity
- A nonce, a unique random number, is dispatched by the CA for the client to authenticate using its private key
Why go with ACME instead of other certificate automation protocols?
ACME is one of many protocols for automating certificate management, Others include Enrollment over Secure Transport (EST), Simple Certificate Enrollment Protocol (SCEP), and systems integrated within enterprise frameworks like Microsoft Active Directory. What sets ACME apart, making it the preferred choice for many businesses over these alternatives?
Security teams rely on ACME more and more to help them address their scale and complexity challenges as it offers:
- A widely accepted open standard featuring strong error handling, simplifying adoption for enterprises and CAs alike
- Adherence to industry-leading practices in TLS and PKI management, benefiting IT teams responsible for deploying and overseeing valid PKI certificates as well as CAs committed to rigorous verification processes
- Support from an extensive community, free from the influence of any one company or entity
- The ability to easily integrate and manage alternate or backup CAs, enhancing CA flexibility
- Affordability, with no associated costs for usage
Learn More About ACME Certificate Management Protocol
- CLM 101: Your Ultimate Guide to TLS Certificate Management
- Securing Certificates and PKI Solution
- Additional Certificate Management Resources
