ACME for DV certificates is finally available

Mar 13, 2024 | Jindřich Zechmeister

Automate the DV certificate lifecycle with DigiCert and SSLmarket. We have been waiting a long time for DV certificates in ACME, but now the wait is over and you can start automating them. You can now use automation with all types of TLS certificates and you can get started right away. This article will show you how.

What is ACME and how does it work

Automatic Certificate Management Environment (ACME) is a communication protocol to automate actions between certificate authorities and their user servers. It is defined by the RFC 8555 standard and supported by several certification authorities, it is also implemented in a number of tools for different platforms (Linux and Windows servers, Kubernetes). Agents who communicate with CAs using ACME are usually also able to deploy the certificate to the server (it depends on the specific implementation). The ACME protocol is open and not tied to a specific technology or CA, which is why a wide user community has emerged around it and it has established itself as the main automation tool for TLS certificates.

Since we are talking about automation, it is logical that the entire life cycle of the certificate must take place without user intervention. In the case of DV certificates, it is only necessary to confirm ownership or the right to handle the domain, which is done using an email, a DNS record or a file. Email for automation doesn't make sense, for DNS you need an API for a service managing DNS records, which is not very common. That leaves the third method that works best for DV ACME.

The method using a verification file to verify domains (the so-called challenge) is HTTP-01. The agent exposes a file with a unique hash to the ACME domain, and the domain is immediately verified. This method is the default for ACME.

As soon as a request for a new certificate or renew is started on the server in the ACME agent, the agent creates a CSR, sends it to the CA and performs domain authorization based on the hash received from the CA (it sets the authentication file on the website). After successful verification, which is typically done within a minute, the certificate is issued, the agent downloads it and deploys it to the web server. You, as the administrator, do not have to do anything at all.

How can I use DV ACME?

The first step is to select and deploy a suitable "agent" on the server; the most famous ACME agent is Certbot. At the beginning, you need to consider your needs and the features that individual agents can offer. If you don't have your favorite, you can also use an agent from DigiCert as part of the Automation Manager service. At the beginning, it is also advisable to make sure you can let them modify the web server configuration (focus on non-standards, backup the settings).

For the ACME client to work, you need to obtain ACME credentials, which are generated by the CA. We make it as easy as possible for customers to obtain them and have implemented the ACME client directly into the SSLmarket customer account. You can start using ACME immediately without needing our assistance.

If necessary, do not hesitate to contact us any time. We are here for you.

The difference between ACME DV and OV/EV

Certificates with organization verification, i.e. with OV and EV verification, still rely on active verification. If the organization’s verification is not valid at the time of the certificate request, then such a request cannot be successful - that is a typical situation. However, for OV and EV certificates, the domain that will be listed in the certificate must be verified in advance, not just the organization. If you want to use OV and EV certificates with ACME, we will of course arrange this pre-verification for you.

For DV certificates, the organization is irrelevant because it is not mentioned in the certificate, and you simply need to do a DCV using the HTTP-01 method for every single certificate request.

SSLmarket is your automation partner

We help you automate the certificate lifecycle and make your life easier. It is possible to automate not only TLS certificates, but also S/MIME certificates for electronic signatures or signing applications with Code Signing certificates.

With our help, you will find the ideal method for you, which will save you work, time, and worries.