ACME 101: Automated Certificate Management for Domain Verification
The PKI using X.509 certificates is used for a number of purposes, the most significant of which is as a certificate for domain names. To issue publicly trusted TLS/SSL certificates for web servers, Certificate Authorities (CAs) must verify the legitimacy and control of the domain name. The ACME protocol automates the process of verification of domain and certificate issuance. The protocol also provides a mechanism to automate other certificate lifecycle functions such as certificate revocation and renewal. The major benefit of using ACME is that you can use any open-source ACME client that supports ACMEv2 and pair it with HID PKI-as-a-Service, eliminating the need to manage vendor-specific agents to automate certificate lifecycle management.
Verification Is Completely Automated With ACME
The ACME protocol uses a Challenge-Response Approach for domain verification and issuance of certificates. In this approach, the following steps are taken:
- The CA sends a challenge (such as HTTP-01) to the client
- The client proves its control over the domain by responding to the challenge
- When the CA is satisfied with the client’s response, it issues a certificate
What if My ACME Implementation Uses Different Challenges?
While HTTP-01 is the most common challenge type used today, there are other challenges that can be part of your implementation, such as DNS01 and TLSSNI01. If your configuration requires these types of challenges, HID PKIaaS is still a great fit. As a technology-agnostic PKI provider, automations powered by HID PKIaaS can be completely tailored to your unique environment and use case, without your team having to manage other agents to automate certificate lifecycle management.
In short, the ACME Protocol automates the process of domain verification and issuance of certificates through a connector model of certificate automation that does not rely on the introduction of a “command and control” platform to manage certificates and validate domains. Ultimately, this helps organizations reduce operational costs and complexity associated with managing TLS/SSL certificates manually and also reduces opportunities for human error, which could compromise security within your organization.
Check out our technical guide on Certificate Automation Rollout for Enterprises for additional information.
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).