ACME FAQs
Jun 2, 2025
ACME FAQs
ACME Overview
ACME (Automated Certificate Management Environment) is a protocol defined in RFC 8555 that is designed to automate the issuance, provisioning, and renewal of digital certificates. ACME allows users to conduct certificate management actions using a set of JavaScript Object Notation (JSON) messages carried over HTTPS. Certificate issuance via ACME resembles that of a traditional certificate authority, in which a user creates an account, requests a certificate, and demonstrates control over the domain(s) covered by the requested certificate.
With GlobalSign’s ACME service, customers set up an account on the GlobalSign Atlas platform and validate their organization information. Through External Account Binding (EAB), your ACME client is linked to your Atlas account. With EAB established, ACME can be used to automatically request and issue both publicly and privately trusted digital certificates from Atlas.
This support article provides FAQs for the GlobalSign ACME service. For more information on how to configure your ACME client with our ACME server, please refer to our GlobalSign ACME Configuration Guide.
FAQs
Does the GlobalSign ACME service support subdomains?
Yes, using the DNS or EMAIL validation methods, the GlobalSign ACME server will issue certificates for subdomains. If you request a certificate for a subdomain, and the parent domain has already been verified through a separate certificate request, then the subdomain certificate will be issued without having to provide domain authorization for the subdomain.
The DNS validation method can be used directly through your ACME client. You may also validate the parent domain in the Atlas portal using the EMAIL validation method; the domain claim created as a result of EMAIL validation will be honored by our ACME server.
Note that www.example.com is a subdomain of example.com and requires its own SAN entry but not its own validation if you have already verified example.com.
Does the GlobalSign ACME service support wildcard certificates?
Yes, using the DNS validation method, the GlobalSign ACME server will issue certificates for wildcards.
The DNS validation method can be used directly through your ACME client. You may also validate the parent domain in the Atlas portal using the DNS or EMAIL validation methods; the domain claim created through these methods will be honored by our ACME server.
How long does my domain remain validated?
Once you validate a domain, you may continue to issue certificates with that SAN for up to 397 days. Note that this period may change due to GlobalSign or industry requirement changes at any time.
What ACME clients work with the GlobalSign ACME service?
We have confirmed the following ACME clients work out-of-the-box with the GlobalSign ACME service.
| ACME Client | Supported Platform | URL |
|---|---|---|
| Certbot | Linux macOS BSD |
https://certbot.eff.org |
| win-acme |
Windows |
https://www.win-acme.com |
| simple-acme | Windows | https://simple-acme.com/ |
| dehydrated | Linux | https://dehydrated.io |
| Certify The Web | Windows | https://certifytheweb.com/ |
|
acme.sh |
Linux macOS Windows BSD |
https://github.com/acmesh-official/acme.sh |
| Lego | Linux | https://go-acme.github.io/lego/ |
I misplaced my API credentials. What do I do?
You can retrieve your API key from the Atlas portal by navigating to Access Credentials > API Credentials and then locating your API key in a credential card. We do not store MAC keys, so if that has been lost then you will need to request a new one in the Atlas portal.
What is the MAC key?
The MAC key is a shared secret between ACME client and the GlobalSign ACME server, which permits you to bind your specific ACME client public key to your Atlas account (more precisely, to your API credential within Atlas account). This action is called External Account Binding. The MAC key is only used for this purpose; it is not required for other ACME client requests.
When you generate a MAC key through the Atlas portal, copy and paste it somewhere secure. This will be your only opportunity to do this as we do not store the key and you will not be able to view your MAC key again in the Atlas portal.
To reduce the risk of MAC key compromise or abuse, each MAC key can be used for a maximum of 30 days or up to 1000 times. The validity and remaining uses are shown on the API credential card in the Atlas portal.
In the event that the MAC key is inadvertently disclosed or compromised, or it expires or has been used the maximum number of times, you can generate a new MAC key through the Atlas portal. This will overwrite the original MAC key, but any ACME clients that used the original MAC key will continue to make requests as normal. If the original MAC key is compromised, you may want to consider redoing External Account Binding with any ACME clients that have used that MAC key with a new one.
If you need to disable an affected client, you will need to get a new API and MAC key from the Atlas portal, re-bind the ACME client with the new credentials, and then revoke the original credentials in the Atlas portal.
What domain validation methods are supported?
The HTTP domain validation method (http-01) and DNS validation method (dns-01) are currently supported.
I get an error when I try to issue a certificate or validate a domain. What do I do?
Please contact GlobalSign Support and include any error messages you’re receiving and the debug log so we can help resolve the issue.
I got an error about the CSR in my certificate request. What do I do?
GlobalSign will only accept CSRs signed with a minimum SHA-256 signature algorithm. If you encounter an error when requesting a certificate that seems to indicate a problem with the signature algorithm, you may need to modify the ACME client config files to specify using a SHA-256 signature algorithm or generate your own CSR and instruct the client to use that instead.
GlobalSign ACME Directory Objects
GlobalSign supports the following directory URLs and account management functions according to the ACME RFC.
| Field | Description |
|---|---|
| newNonce | Request a new nonce |
| newOrder | Request a new (certificate) order |
| newAuthz | Request a new authorization |
| newAccount | Request a new account |
| onlyReturnExisting | A client can look up an account URL based on an account key |
| contact | A client can modify the contact details of an existing account |
| externalAccountBinding | An ACME account securely binds itself to a CA account for dedicated certificate management |
| deactivated | Deactivate an ACME account |
| revokeCert | Revoke a certificate |
| keyChange | Change the public key that is associated with an account |
Related Articles
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.