Feb 20, 2024

ACME FAQs

ACME Overview

The ACME (Automated Certificate Management Environment) protocol is designed to automate certificate provisioning, renewal, and revocation processes by providing a framework for Certificate Authorities to communicate with agents installed on web servers.

ACME is an extensible framework for automating certificate issuance and domain validation procedures. ACME allows users to request certificate management actions using a set of JavaScript Object Notation (JSON) messages carried over HTTPS. Issuance using ACME resembles a traditional CA’s issuance process, in which a user creates an account, requests a certificate, and proves control of the domain(s) in that certificate for the CA to issue the requested certificate. 

GlobalSign’s integration with ACME conforms to the internet standard RFC 8555. Our ACME server is hosted on our cloud certificate management engine, Atlas. Once an ACME agent is bound to an Atlas account, users can use ACME to request and revoke CA/Browser Forum-compliant TLS certificates from Atlas without having to interface with the Atlas portal or APIs, and it can be programmed to do so automatically.

This support article provides FAQs for our ACME product. For more technical details on how to integrate your ACME client with our Atlas solution, please refer to our implementation guide. 

FAQs

Can I issue certificates to subdomains of validated domains? 

No, each SAN contained in the certificate request must be validated using that exact domain name. For example, if you request a TLS certificate with the SANs www.example.com and example.com, then you must validate both www.example.com and example.com.

The GlobalSign Atlas APIs support the issuance of www.example.com when example.com is validated for some domain validation methods, but since ACME automates the domain validation process, each SAN in the certificate request must be individually validated.

How long does domain validation last?

Once you validate a domain, you may continue to issue certificates with that SAN for up to 397 days. Note that this period may change due to GlobalSign or industry requirement changes at any time.

What ACME clients does GlobalSign support?

We are constantly reviewing ACME clients against our service; check back often for updates!

Linux

• Certbot - https://certbot.eff.org/
• acme.sh - https://github.com/acmesh-official/acme.sh

Windows

• win-acme - https://www.win-acme.com/

I misplaced my API credentials. What do I do?

Since we do not store your API credentials, you must create new API credentials via the Atlas portal.

I need more information about my MAC key.

• The MAC key is a shared secret between the customer and the GlobalSign ACME service, which permits customers to bind their specific ACME client public key to their Atlas account (more precisely, to an API credential within the customer account).

• When you request a MAC key, copy and paste it somewhere secure. This will be your only opportunity to do this. You will not be able to view your MAC key again in the Atlas portal.

• To reduce the risk of MAC key compromise or abuse, each MAC key can be used for a maximum of 30 days and up to 1000 times.

• In the event that the MAC key is inadvertently disclosed or compromised, the customer can create a new MAC key that disables the prior one.

• Once a MAC key has expired or been used 1000 times, you must obtain a new MAC before you can bind more ACME clients to your account.

• The validity and remaining uses of the MAC key are available on the API credential card in the Atlas portal.

What domain validation methods are supported?

The HTTP domain validation method (http-01) and DNS validation method (dns-01) are currently supported.

I’m getting an error when I try to issue a certificate or validate a domain. What do I do?

Please contact GlobalSign Support and include any error messages you’re receiving and the debug log so we can help resolve the issue.

How do I issue a certificate using acme.sh?

If you’re using the acme.sh agent, you will need to input a CSR that does not have EKUs specified. You can create a CSR using OpenSSL or some other tool. If you use the CSR that is generated during automatic certificate issuance, then you will encounter an error.

What signature algorithm should my CSR be?

Our ACME service is configured so that we will only issue certificates with either an RSA or ECC signature using a SHA-256 signature hash algorithm. The expectation is that your ACME agent will generate the CSR for you, so you will not have to worry about creating and submitting a valid CSR. If you encounter an error that points to the CSR, it might be because the agent is submitting one that is being blocked by our service. Check the CSR and confirm it is using a SHA-256-based signature algorithm. If it isn’t, you may need to configure your agent to submit one or generate your own CSR and instruct the agent to use it.

Can I request a certificate for a subdomain if the parent domain has been successfully validated?

Yes, our ACME service is configured so that if you have successfully verified control of a parent domain, you may request certificates for any subdomains of that parent domain without having to validate those subdomains as well. Please note that this is only for the DNS validation method.