The ACME protocol (Automated Certificate Management Environment) is a network protocol designed to automate the process of domain validation and deliverance of X.509 certificates. The protocol was originally designed by the Internet Security Research Group (ISRG) for their own certificate delivery service: Let’s Encrypt. The protocol is now published as an Internet Standard in RFC 8555. The ISRG itself is backed by companies such as Cisco, Google, Mozilla or Facebook.
ACME v1 was released on April 12, 2016 but is now deprecated.
The latest and currently supported version, ACME v2, was released on March 13, 2018.
ACME v2 main new feature is the support of wildcard domains. It is not backwards compatible with ACME v1.
SSL certificates are used on the Internet usually to secure communications to a website. They certify the website’s identity based on its DNS domain name. These certificates are issued by public Certification Authorities using three validation strategies:
Essentially, the steps to obtain a certificate using Domain Validation process are the following:
ACME aims at automating these mechanisms used in the Domain Validation process by providing a framework which automates the identity verification procedure and the certificate delivery.
The issuance of a certificate through the ACME protocol is very similar to issuing a certificate through usual CAs DV process:
Here is in detail the process of requesting a certificate using the ACME protocol:
The client must create an account, send a request for signature, respond to a challenge send by the ACME server and then send the CSR for signature. In most cases, all these operations are fully automated.
ACME specifies 3 different validation methods, as per RFC 8555:
A fourth validation method is also commonly used. Known as tls-alpn-01, it relies on TLS ALPN extension to deliver a self-signed certificate that contains the challenge.
These 4 validation methods all have advantages and drawbacks, since it’s not always possible to use each of them:
Therefore when designing an ACME-base PKI automation solution, the choice and architecture used for validation is a key point.
The other main key point is the choice of ACME clients. Some products or solutions include already an ACME client, making the choice a no-brainer.
For the other cases, here is a non-exhaustive list of ACME clients:
To learn more about using an ACME client on Linux and/or on Windows to request certificates, please follow these links: