A few words about ACME

ACME
ACME protocol SSL Certificates automation

Introduction

The ACME protocol (Automated Certificate Management Environment) is a network protocol designed to automate the process of domain validation and deliverance of X.509 certificates. The protocol was originally designed by the Internet Security Research Group (ISRG) for their own certificate delivery service: Let’s Encrypt. The protocol is now published as an Internet Standard in RFC 8555. The ISRG itself is backed by companies such as Cisco, Google, Mozilla or Facebook.

ACME v1 was released on April 12, 2016 but is now deprecated.

The latest and currently supported version, ACME v2, was released on March 13, 2018.

ACME v2 main new feature is the support of wildcard domains. It is not backwards compatible with ACME v1.

Overview

SSL certificates are used on the Internet usually to secure communications to a website. They certify the website’s identity based on its DNS domain name. These certificates are issued by public Certification Authorities using three validation strategies:

Essentially, the steps to obtain a certificate using Domain Validation process are the following:

  1. Generate a PKCS#10 Certificate Signing Request;
  2. Upload the CSR to a CA’s web page;
  3. Attest of the ownership of the domain included in the CSR by using one of the following method:
    • Add a challenge provided by the CA at a specific place on the web server;
    • Add a challenge provided by the CA inside a DNS record corresponding to the requested domain;
    • Receive a challenge provided by the CA on an email address and respond to it on the CA web page.
  4. Receive and install the generated certificate.

ACME aims at automating these mechanisms used in the Domain Validation process by providing a framework which automates the identity verification procedure and the certificate delivery.

The communications between an ACME server and an ACME client is based on JavaScript Object Notation (JSON) messages, secured using TLS and JSON Web Signature (JWS).

The issuance of a certificate through the ACME protocol is very similar to issuing a certificate through usual CAs DV process:

  1. Creation of an account;
  2. Request of a certificate;
  3. Prove the ownership of the domain through the use of a challenge.

Here is in detail the process of requesting a certificate using the ACME protocol:

Protocol Overview

The client must create an account, send a request for signature, respond to a challenge send by the ACME server and then send the CSR for signature. In most cases, all these operations are fully automated.

About ACME validation process

ACME specifies 3 different validation methods, as per RFC 8555:

A fourth validation method is also commonly used. Known as tls-alpn-01, it relies on TLS ALPN extension to deliver a self-signed certificate that contains the challenge.

These 4 validation methods all have advantages and drawbacks, since it’s not always possible to use each of them:

Therefore when designing an ACME-base PKI automation solution, the choice and architecture used for validation is a key point.

ACME Clients

The other main key point is the choice of ACME clients. Some products or solutions include already an ACME client, making the choice a no-brainer.

For the other cases, here is a non-exhaustive list of ACME clients:

To learn more about using an ACME client on Linux and/or on Windows to request certificates, please follow these links: