Are you looking for automation when it comes to managing your SSL Certificates? Then you have had most likely heard of the ACME protocol. But what is it and how does it work? In this blog post, we will give you all the information you need on the ACME protocol and why it is important for the future of your certificates.
First things first, ACME stands for Automated Certificate Management Environment. It is a protocol that automates interactions between certificate authorities and organisation’s servers, allowing the automated deployment of OV and EV SSL certificates.
Managing your certificates manually is fine, but it can prove a challenge and become overwhelming if certificates are not issued and renewed correctly. Requesting and renewing certificates manually can be a lengthy process, including creating a Certificate Signing Request (CSR), requesting the certificate, and waiting for it to be issued. Then you need to install the certificate and configure it correctly. With this process, it can take time and human errors may happen, increasing the length of the process and risk of taking the service down.
With the ACME protocol, all these steps are automated. You will not need to worry about generating a CSR or submitting the request. Instead, your web server will automatically request and obtain your SSL Certificate from the relevant CA (for Jisc, this is Sectigo).
There are more than 100 open-source ACME clients that are currently available to use with the ACME protocol. A few well-known ACME clients are Certbot, Caddy and uacme.
There are many benefits to using the ACME protocol, such as:
- It can save a considerable amount of time as the whole process of certificate management works in the background
- While saving time, it can also reduce the resources needed for managing certificates and improve the overall efficiency of the certificate process
- As this is automated, it minimises the risk of human error and protects organisations from risks such as widespread outages
So why are we pushing this ACME protocol, you may ask?
Google have announced that they are planning to reduce the validity period of certificates from 1 year to 90 days for improved security. This aligns with industry trends and best practices and will most likely be adopted by other web browsers.
The change aims to create a safer online environment and promote the adoption of stronger security measures. Hence, there is an early push to get everyone on board with the proposed changes and start using ACME for the management of your certificates before it becomes unmanageable.
How do you go about getting ACME set up within your Sectigo Portal?
- Login to the Sectigo Certificate Manager (SCM) Portal.
- Generate an ACME Account: In the SCM portal, create a new ACME account (under Enrollment). This account will be used to authenticate and manage your ACME-based certificate requests.
- Generate an ACME key pair: SCM will generate a key pair (public and private key) for your ACME account. This key pair is essential for secure communication between your ACME client and the SCM ACME server.
- Configure your ACME client: Install and configure an ACME client software on your server or local machines.
- Assign Domains to ACME Account: You will need to select your account and add Domains from your organisation. (Please ensure these are already validated)
- Link your ACME client with Sectigo Certificate Manager: This typically involves providing the server’s ACME endpoint URL and your ACME key pair to the client to send a certificate request to the SCM ACME Server.
You can have multiple ACME accounts for individual webservers. Using a single ACME account for an organisation is your decision but if many domains are under one ACME account, it could cause security issues. Therefore, it is recommended to maintain separate webservers and having ACME accounts for each. You can split your domain estate however you wish.
Other things to be aware of:
- Ensure the ACME client you select will periodically renew the required certificates and that your webserver will be aware of new certificates available to it. This may happen automatically or require the use of a scheduled task (e.g. Cron Job)
- When assigning a wildcard domain to an ACME account, you need to ensure that you have assigned the ‘non-wild’ version. For example, if assigning ‘*.jisc.ac.uk’, you also need to assign ‘jisc.ac.uk’