ACME Overview

ACME Overview

ACME Overview

The ACME (Automated Certificate Management Environment) protocol is designed to automate certificate provisioning, renewal, and revocation processes by providing a framework for Certificate Authorities to communicate with agents installed on web servers. 

ACME is an extensible framework for automating certificate issuance and domain validation procedures. ACME allows users to request certificate management actions using a set of JavaScript Object Notation (JSON) messages carried over HTTPS. Issuance using ACME resembles a traditional CA’s issuance process, in which a user creates an account, requests a certificate, and proves control of the domain(s) in that certificate for the CA to issue the requested certificate. 

GlobalSign’s integration with ACME conforms to the internet standard RFC 8555. Our ACME server is hosted on our cloud certificate management engine Atlas. Once an ACME agent is bound to an Atlas account, users can use ACME to request and revoke CA/Browser Forum-compliant DV TLS certificates from Atlas without having to interface with the Atlas portal or APIs and can be programmed to do so automatically.  

This support article provides FAQs for our ACME product. For more technical details on how to integrate your ACME client with our Atlas solution please refer to our implementation guide

FAQs

Can I issue certificates to subdomains of validated domains? 

No, each SAN contained in the certificate request must be validated using that exact domain name. For example, if you request a TLS certificate with SANs www.example.com and example.com, then you must validate both www.example.com and example.com. 

The GlobalSign Atlas APIs support issuance of www.example.com when example.com is validated for some domain validation methods, but since ACME automates the domain validation process, each SAN in the certificate request must be individually validated.

How long does domain validation last? 

Once you validate a domain, you may continue to issue certificates with that SAN for up to 397 days. Note that this period may change due to GlobalSign or Industry requirement changes at any time.  

What ACME clients does GlobalSign support? 

We are constantly reviewing ACME clients against our service, check back often for updates!  

Linux  

  • Certbot - https://certbot.eff.org/  
  • acme.sh - https://github.com/acmesh-official/acme.sh  

Windows  

  • win-acme - https://www.win-acme.com/  

I misplaced my API credentials, what do I do? 

Since we do not store your API credentials, you must create new API credentials via the Atlas Platform. 

I need more information about my MAC key 

  • The MAC key is a shared secret between the customer and the GlobalSign ACME service which permits customers to bind their specific ACME client public key to their Atlas account (and more precisely, to an API credential within the customer account).   

  • To reduce the risk of MAC key compromise or abuse, each MAC key can be used for a maximum of 30 days and up to 1000 times.  

  • In the event that the MAC key is inadvertently disclosed or compromised, the customer can create a new MAC key which disables the prior one.   

  • Once a MAC key has expired or been used 1000 times, you must obtain a new MAC before you can bind more ACME clients to your account.   

  • The validity and remaining uses are available on the API credential card in the Atlas portal. 

How do I view my MAC key?

From your API credential card click the three-dots icon and then click Manage ACME MAC, details on your MAC key are displayed on the pop-up.

What domain validation methods are supported? 

The HTTP domain validation method (http-01) and DNS validation method (dns-01) are currently supported. 

Can I issue test/non-public certificates? 

Yes, we have a private CA that is allowlisted with our ACME service. Speak with your GlobalSign Sales Manager for details.  

I’m getting an error when I try to issue a certificate/validate a domain, what do I do?

Please contact GlobalSign Support and include any error messages you’re receiving so we can resolve the issue. 

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.