The ACME (Automated Certificate Management Environment) protocol is designed to automate certificate provisioning, renewal, and revocation processes by providing a framework for Certificate Authorities to communicate with agents installed on web servers.
GlobalSign’s integration with ACME conforms to the internet standard RFC 8555. Our ACME server is hosted on our cloud certificate management engine Atlas. Once an ACME agent is bound to an Atlas account, users can use ACME to request and revoke CA/Browser Forum-compliant DV TLS certificates from Atlas without having to interface with the Atlas portal or APIs and can be programmed to do so automatically.
This support article provides FAQs for our ACME product. For more technical details on how to integrate your ACME client with our Atlas solution please refer to our implementation guide.
No, each SAN contained in the certificate request must be validated using that exact domain name. For example, if you request a TLS certificate with SANs www.example.com and example.com, then you must validate both www.example.com and example.com.
The GlobalSign Atlas APIs support issuance of www.example.com when example.com is validated for some domain validation methods, but since ACME automates the domain validation process, each SAN in the certificate request must be individually validated.
Once you validate a domain, you may continue to issue certificates with that SAN for up to 397 days. Note that this period may change due to GlobalSign or Industry requirement changes at any time.
We are constantly reviewing ACME clients against our service, check back often for updates!
Since we do not store your API credentials, you must create new API credentials via the Atlas Platform.
The MAC key is a shared secret between the customer and the GlobalSign ACME service which permits customers to bind their specific ACME client public key to their Atlas account (and more precisely, to an API credential within the customer account).
To reduce the risk of MAC key compromise or abuse, each MAC key can be used for a maximum of 30 days and up to 1000 times.
In the event that the MAC key is inadvertently disclosed or compromised, the customer can create a new MAC key which disables the prior one.
Once a MAC key has expired or been used 1000 times, you must obtain a new MAC before you can bind more ACME clients to your account.
The validity and remaining uses are available on the API credential card in the Atlas portal.
From your API credential card click the three-dots icon and then click Manage ACME MAC, details on your MAC key are displayed on the pop-up.
The HTTP domain validation method (http-01) and DNS validation method (dns-01) are currently supported.
Yes, we have a private CA that is allowlisted with our ACME service. Speak with your GlobalSign Sales Manager for details.
Please contact GlobalSign Support and include any error messages you’re receiving so we can resolve the issue.