ACME FAQs

Jun 2, 2025

ACME FAQs

ACME Overview

ACME (Automated Certificate Management Environment) is a protocol defined in RFC 8555 that is designed to automate the issuance, provisioning, and renewal of digital certificates. ACME allows users to conduct certificate management actions using a set of JavaScript Object Notation (JSON) messages carried over HTTPS. Certificate issuance via ACME resembles that of a traditional certificate authority, in which a user creates an account, requests a certificate, and demonstrates control over the domain(s) covered by the requested certificate. 

With GlobalSign’s ACME service, customers set up an account on the GlobalSign Atlas platform and validate their organization information. Through External Account Binding (EAB), your ACME client is linked to your Atlas account. With EAB established, ACME can be used to automatically request and issue both publicly and privately trusted digital certificates from Atlas. 

This support article provides FAQs for the GlobalSign ACME service. For more information on how to configure your ACME client with our ACME server, please refer to our GlobalSign ACME Configuration Guide

FAQs

Does the GlobalSign ACME service support subdomains?

Yes, using the DNS or EMAIL validation methods, the GlobalSign ACME server will issue certificates for subdomains. If you request a certificate for a subdomain, and the parent domain has already been verified through a separate certificate request, then the subdomain certificate will be issued without having to provide domain authorization for the subdomain.

The DNS validation method can be used directly through your ACME client. You may also validate the parent domain in the Atlas portal using the EMAIL validation method; the domain claim created as a result of EMAIL validation will be honored by our ACME server. 

Note that www.example.com is a subdomain of example.com and requires its own SAN entry but not its own validation if you have already verified example.com.

Does the GlobalSign ACME service support wildcard certificates? 

Yes, using the DNS validation method, the GlobalSign ACME server will issue certificates for wildcards. 

The DNS validation method can be used directly through your ACME client. You may also validate the parent domain in the Atlas portal using the DNS or EMAIL validation methods; the domain claim created through these methods will be honored by our ACME server.

How long does my domain remain validated?

Once you validate a domain, you may continue to issue certificates with that SAN for up to 397 days. Note that this period may change due to GlobalSign or industry requirement changes at any time.

What ACME clients work with the GlobalSign ACME service?

We have confirmed the following ACME clients work out-of-the-box with the GlobalSign ACME service.

ACME Client   Supported Platform   URL  
Certbot  Linux  
macOS  
BSD 

https://certbot.eff.org  
win-acme  

Windows   

https://www.win-acme.com  
simple-acme   Windows   https://simple-acme.com/  
dehydrated   Linux   https://dehydrated.io  
Certify The Web   Windows   https://certifytheweb.com/  

acme.sh  

Linux  
macOS  
Windows
BSD 
https://github.com/acmesh-official/acme.sh  
Lego Linux https://go-acme.github.io/lego/  

I misplaced my API credentials. What do I do?

You can retrieve your API key from the Atlas portal by navigating to Access Credentials > API Credentials and then locating your API key in a credential card. We do not store MAC keys, so if that has been lost then you will need to request a new one in the Atlas portal.

What is the MAC key?

The MAC key is a shared secret between ACME client and the GlobalSign ACME server, which permits you to bind your specific ACME client public key to your Atlas account (more precisely, to your API credential within Atlas account). This action is called External Account Binding. The MAC key is only used for this purpose; it is not required for other ACME client requests. 

When you generate a MAC key through the Atlas portal, copy and paste it somewhere secure. This will be your only opportunity to do this as we do not store the key and you will not be able to view your MAC key again in the Atlas portal.

To reduce the risk of MAC key compromise or abuse, each MAC key can be used for a maximum of 30 days or up to 1000 times. The validity and remaining uses are shown on the API credential card in the Atlas portal. 

In the event that the MAC key is inadvertently disclosed or compromised, or it expires or has been used the maximum number of times, you can generate a new MAC key through the Atlas portal. This will overwrite the original MAC key, but any ACME clients that used the original MAC key will continue to make requests as normal. If the original MAC key is compromised, you may want to consider redoing External Account Binding with any ACME clients that have used that MAC key with a new one.  

If you need to disable an affected client, you will need to get a new API and MAC key from the Atlas portal, re-bind the ACME client with the new credentials, and then revoke the original credentials in the Atlas portal. 

What domain validation methods are supported?

The HTTP domain validation method (http-01) and DNS validation method (dns-01) are currently supported.

I get an error when I try to issue a certificate or validate a domain. What do I do?

Please contact GlobalSign Support and include any error messages you’re receiving and the debug log so we can help resolve the issue.

I got an error about the CSR in my certificate request. What do I do?

GlobalSign will only accept CSRs signed with a minimum SHA-256 signature algorithm. If you encounter an error when requesting a certificate that seems to indicate a problem with the signature algorithm, you may need to modify the ACME client config files to specify using a SHA-256 signature algorithm or generate your own CSR and instruct the client to use that instead. 

GlobalSign ACME Directory Objects 

GlobalSign supports the following directory URLs and account management functions according to the ACME RFC.

Field  Description
newNonce  Request a new nonce 
newOrder  Request a new (certificate) order 
newAuthz  Request a new authorization 
newAccount  Request a new account 
onlyReturnExisting  A client can look up an account URL based on an account key 
contact  A client can modify the contact details of an existing account 
externalAccountBinding  An ACME account securely binds itself to a CA account for dedicated certificate management 
deactivated  Deactivate an ACME account 
revokeCert  Revoke a certificate 
keyChange  Change the public key that is associated with an account 

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support