ACME Glossary: Automation Made Easy

ACME (Automatic Certificate Management Environment)

A protocol that automates the issuance, validation, installation, and renewal of SSL/TLS certificates, removing manual processes.

New SSL/TLS Validity & Automation Importance

SSL certificates are currently issued for max 199-day validity and soon 47-day. With short-lived certificates, manual SSL management is no longer practical, automation is the only option.

Sectigo ACME Subscription/Certificate-as-a-Service

A Sectigo ACME subscription is a managed service that lets you automatically issue, install, and renew SSL/TLS certificates using the Automatic Certificate Management Environment Protocol. Billing per domain not per certificate, you can issue multiple certificates per domain in single subscription.

AutoInstall SSL

A tool that automates the entire lifecycle of SSL/TLS certificates including generation, validation, installation, and renewal to prevent site downtime caused by expiration. Ideal for Linux and Windows servers.

AutoInstall SSL vs ACME CaaS

AutoInstall SSL is a specialized tool, hosting control-panel function that offers end-to-end automation for specific server environments whereas ACME CaaS is a developer/API-driven system where certificate lifecycle is fully managed via ACME protocol.

Multi-Domain & Wildcard Supports

It allows you to secure single domain, wildcard domains and multiple domains based on your requirements.

ACME Client

Software that communicates with an ACME server to request and manage certificates. Examples include Certbot, acme.sh, and win-acme.

ACME Server

A system operated by a Certificate Authority that processes certificate requests and performs domain validation.

Account Key

A cryptographic key used by the ACME client to identify your account and sign requests sent to the ACME server.

External Account Binding (EAB)

EAB is a security feature that requires pre issued credentials before you can use the ACME service. It ensures only authorized users can request certificates and links all activity to your Sectigo account.

Rate Limits

Restrictions set by Certificate Authorities to control how many certificates can be requested within a certain time period.

Staging Environment

A testing environment provided by ACME servers where requests can be tried without affecting production limits.

Production Environment

The live environment where real and trusted SSL/TLS certificates are issued.

Certificate as a Service (CaaS) Licenses

Single DV Certificate license covers single FQDN including www and non www version. Wildcard Certificate license covers unlimited subdomains under your domain including root domain.

Stages of the Certificate Lifecycle Management

CLM key stages includes Certificate Request, Domain Validation, Issuance, Installation/Deployment, Monitoring and Renewal

Certificate Lifecycle Management

The complete journey of a certificate from issuance to expiration or renewal. ACME automates the lifecycle to ensure continuous protection.

Automated Installation

You just need to install the client, copy-paste or run command, then client will handle verification, issuance, installation and renewal.

Renewal Automation

Certificates are renewed automatically before they expire. This prevents downtime and avoids browser warnings.

Automated Revocation

The process of cancelling a certificate before its expiration, usually due to security concerns.

DevOps Integration

Sectigo ACME Certificates can be integrated into deployment pipelines and infrastructure tools. This ensures every new server or application is automatically secured during deployment.

Validation Methods/Challenges

Used to prove that you own or control a domain before a certificate is issued. Sectigo ACME supports multiple options:

• HTTP validation where a file is placed on your web server
• DNS validation where a TXT record is added to your domain
• TLS validation which verifies ownership at the protocol level

These options give flexibility depending on your infrastructure.

Core ACME Configuration Parameters

When configuring ACME clients for Sectigo, the following parameters are crucial:

• ACME Server URL: https://acme.sectigo.com/v2/DV
• EAB KID: The unique Key ID assigned to your account.
• EAB HMAC Key: The secret key associated with the Key ID.
• Validation Method: DNS-01 or HTTP-01

EAB Credentials Package

When you purchase Sectigo Certificate as a Service (CaaS), you receive a complete credentials package via e-mail containing four essential components:

• Sectigo ACME Account ID: Your unique service identifier used for all account management, extensions, and support requests. Keep this ID safe as you'll need it for future service management.
• EAB Key ID: Your unique account identifier that tells our ACME server which service account to use for SSL Certificate requests.
• EAB MAC Key: Your secure authentication key that proves you're authorized to use the service. This key must be kept confidential.
• ACME Server URL: The dedicated server endpoint where your ACME client will connect to request and manage SSL Certificates.

We generally only send this information via e-mail when Sectigo Certificate as a Service (CaaS) is activated or renewed. If you lose the e-mail, please speak with our support team for further assistance.

Key Steps for Sectigo CaaS

• Purchase a Certificate as a Service (CaaS) License for e.g single domain, wildcard or multi domain
• Obtain Your Credentials such as ACME URL, Key ID, and HMAC Key
• Install Supported ACME Client on Your Server such as Certbot, acme.sh, and win-acme, etc
• Configure ACME Client with Your External Account Binding (EAB) Credentials
• Your SSL/TLS Certificates Are Now Fully Automated

Key Steps for AutoInstall SSL

• Install AutoInstall SSL using given command
• Install and confirm your domain with your token
• CSR, Validation, and installation will complete automatically
• Automatically Renew certificates before they expire

Common ACME Issues

• DNS propagation delays
• Challenge validation failures
• Port 80/443 blocked
• Rate limiting from CA
• Renewal failures

Sectigo CaaS + ACME Clients Setup Commands

Certbot:

## First register your new Account Binding provided to you:
certbot register --server {SERVER_URL_HERE} \
--eab-kid {EAB_KID_HERE} \
--eab-hmac-key {EAB_KEY_HERE}

## Request new certificate for domain:
certbot certonly --server {SERVER_URL_HERE} \
--webroot -w /var/www/example -d mydomain.com -d www.mydomain.com

## Renew all previously obtained certificates that are near expiry:
certbot renew

acme.sh:

## First register your new Account Binding provided to you:
acme.sh --server {SERVER_URL_HERE} --register-account \
--eab-kid {EAB_KID_HERE} \
--eab-hmac-key {EAB_KEY_HERE}

## Request new certificate for domain:
acme.sh --issue -d mydomain.com -d www.mydomain.com \
-w /home/wwwroot/mydomain.com --server {SERVER_URL_HERE}

## Renew the certificate or recheck for domain validation and issue cert:
acme.sh --issue -d mydomain.com -d www.mydomain.com --server {SERVER_URL_HERE} –renew

Posh-ACME:

## First register your new Account Binding provided to you:
$eabKID = 'EAB_KID_HERE'
$eabHMAC = 'EAB_KEY_HERE'
New-PAAccount -ExtAcctKID $eabKID -ExtAcctHMACKey $eabHMAC -Contact '[email protected]' -AcceptTOS

## Register the CA Server URL:
Set-PAServer -DirectoryUrl {SERVER_URL_HERE}

## Request new certificate for domain
New-PACertificate example.com -AcceptTOS

# Renew all orders on the current account:
Submit-Renewal

Win-ACME:

## Execute the following command to auto-enroll certificate on IIS using WinACME client:
wacs.exe --baseuri {SERVER_URL_HERE} --verbose \
--accepttos --emailaddress [email protected] --eab-keyidentifier {EAB_KID_HERE} \
--eab-key {EAB_KEY_HERE}

cert-manager:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: sectigo-acme
spec:
  acme:
    server: https://acme.sectigo.com/v2/DV
    email: [email protected]
    externalAccountBinding:
      keyID: YOUR_EAB_KEY_ID
      keySecretRef:
        name: sectigo-eab-hmac
        key: secret
    solvers:
    - http01:
        ingress:
          class: nginx