ACME Protocol

ACME: An Overview

The ACME (Automatic Certificate Management Environment) protocol is a standardized way to automate the process of obtaining and managing TLS/SSL certificates for websites and other online services. The ACME API provides a RESTful interface for interacting with ACME-compatible Certificate Authorities (CAs), allowing developers to automate certificate issuance, renewal, and revocation.

How ACME Works

The ACME protocol involves a client-server interaction between an ACME client and an ACME server. The client, typically running on the server that needs a certificate, initiates the communication with the CA server. The CA server verifies the client's control over the domain for which the certificate is requested and then provides the certificate.

ACME API Calls: A Detailed Explanation

The ACME API defines a set of endpoints for various certificate management tasks. Here's an in-depth explanation of key ACME API calls.

1. Register (Keys):

This API call initiates the registration process with the ACME server. It involves providing the server with a public key generated using OpenSSL or emCA. The server generates a corresponding private key and associates it with the client's account.

2. Order Certificate:

This API call requests a new certificate for a specified domain. It involves providing the following details:

  • Order Details: This includes the domain name for which the certificate is requested and an identifier (ID) that uniquely identifies the order. The ID is signed by the client's private key to ensure authenticity.

  • Authentication Details: This provides proof of ownership of the client's account. It typically involves signing a challenge token provided by the server using the client's private key.

  • Challenge: This section specifies the challenge type and a token that the client must validate to demonstrate control over the domain.

  • Identifier: This identifies the domain for which the certificate is being requested. It can be a DNS hostname or a Uniform Resource Identifier (URI).

3. Verify Domain:

This API call is used to verify domain control. The client must complete the challenge specified by the CA server to prove ownership of the domain. For DNS challenges, this typically involves adding a specific DNS record.

4. Generate Certificate:

Once the domain control has been successfully verified, the client can call this API to generate the certificate. The server generates the certificate and provides it to the client in a standard format (e.g., PEM, DER).

The system also uses the standard emCA APIs for the creation and revocation of certificates.

Last updated