Technical notesA few words about ACME
The ACME protocol (Automated Certificate Management Environment) is a network protocol designed to automate the process of domain validation and deliverance of X.509 certificates. The protocol was originally designed by the Internet Security Research Group (ISRG) for their own certificate delivery service: Let's Encrypt. The protocol is now published as an Internet Standard in RFC 8555. The ISRG itself is backed by companies such as Cisco, Google, Mozilla or Facebook.
ACME v1 was released on April 12, 2016 but is now deprecated.
The latest and currently supported version, ACME v2, was released on March 13, 2018.
ACME v2 main new feature is the support of wildcard domains. It is not backwards compatible with ACME v1.
SSL certificates are used on the Internet usually to secure communications to a website. They certify the website's identity based on its DNS domain name. These certificates are issued by public Certification Authorities using three validation strategies:
- Domain Validation, where the website administrator will have to prove that he has control over the DNS domain
- Organization Validation, where the website administrator will have to prove that he represents the organization holding the DNS domain
- Extended Validation, that adds extra checks on top of Organization Validation
Essentially, the steps to obtain a certificate using Domain Validation process are the following:
- Generate a PKCS#10 Certificate Signing Request;
- Upload the CSR to a CA's web page;
- Attest of the ownership of the domain included in the CSR by using one of the following method:
- Add a challenge provided by the CA at a specific place on the web server;
- Add a challenge provided by the CA inside a DNS record corresponding to the requested domain;
- Receive a challenge provided by the CA on an email address and respond to it on the CA web page.
- Receive and install the generated certificate.
ACME aims at automating these mechanisms used in the Domain Validation process by providing a framework which automates the identity verification procedure and the certificate delivery.
The issuance of a certificate through the ACME protocol is very similar to issuing a certificate through usual CAs DV process:
- Creation of an account;
- Request of a certificate;
- Prove the ownership of the domain through the use of a challenge.
Here is in detail the process of requesting a certificate using the ACME protocol:
The client must create an account, send a request for signature, respond to a challenge send by the ACME server and then send the CSR for signature. In most cases, all these operations are fully automated.
About ACME validation process
ACME specifies 3 different validation methods, as per RFC 8555:
- pre-validation, where the validation takes place before the actual ACME enrollment, by other means than ACME
- http-01 validation, where the validation challenge is served by the client using HTTP
- dns-01 validation, where the validation challenge is made available through DNS
A fourth validation method is also commonly used. Known as tls-alpn-01, it relies on TLS ALPN extension to deliver a self-signed certificate that contains the challenge.
These 4 validation methods all have advantages and drawbacks, since it's not always possible to use each of them:
- HTTP ports can be closed or aggressively redirected to HTTPS
- DNS servers can be bunkerized and not readily usable by ACME clients
- TLS ALPN extension is not supported by all servers
- Very few clients actually support pre-validation method, since Let's Encrypt does not support it
Therefore when designing an ACME-base PKI automation solution, the choice and architecture used for validation is a key point.
The other main key point is the choice of ACME clients. Some products or solutions include already an ACME client, making the choice a no-brainer.
For the other cases, here is a non-exhaustive list of ACME clients:
To learn more about using an ACME client on Linux and/or on Windows to request certificates, please follow these links: