Sep 24, 2024

ACME Service Configuration and Certificate Issuance via HTTP Validation with Certbot

Prerequisites:

1. API & MAC Key from the GlobalSign Atlas portal for EAB (External Account Binding to register your GlobalSign Atlas account with ACME client)
2. Up-to-date version of Certbot ( https://certbot.eff.org/docs/install.html )
3. GlobalSign ACME URL: https://emea.acme.atlas.globalsign.com/directory

Note: The MAC key is a shared secret between you and the GlobalSign ACME server, which permits you to bind your specific ACME account key to your Atlas account (and more precisely, to an API credential within the your Atlas account).

 

Domain Validation and Certificate Issuance

The HTTP domain validation method (http-01) relies on the ACME client placing a random value at a specific location on the target website. Certbot does HTTP validation by default.

Please use the following steps for domain validation and certificate issuance via Certbot:

1. Check in a Linux environment that the Certbot client is installed by using: #certbot --version
   
   
2. If it’s not installed, install Certbot and check the version by using: Sudo yum install certbot
   
   
3. Check for the document root in your configuration file.
                 
4. Copy  the document root path “/var/www/html”  
   
   
5. ​​​​​​Use the following Certbot command to register your account and issue a certificate:
   certbot certonly --webroot -w “/var/www/html”  -d  “yourdomain.com”  -n  --agree-tos  --eab-kid
   *************  --eab-hmac-key ********************************************************** -m --server
   https://emea.acme.atlas.globalsign.com/directory  --key-type rsa
   
   
   
   Please note: The credentials are hardcoded to be RSA or ECC and if you have Atlas credentials for ECC Certificates, you may delete the key-type flag as Certbot would use ECC algorithm by default. 
   
   If your Atlas account has already been registered to a Certbot client, then you can use the following command to request a certificate using the HTTP validation method:
   certbot certonly --webroot -w “/var/www/html” -d yourdomain.com --server https://emea.acme.atlas.globalsign.com/directory
6. Once the certificate is issued, you will receive the location of the certificate which will be stored in your files. The private key will be stored there as well, in case you need to configure the certificate to any service. For Apache or nginx implementations, the certificate may be automatically installed.
    

 

Renewing a Certificate

In most cases, Certbot pre-configures automatic renewal of certificates ordered through the above process. However, if you are unsure if automatic renewal is enabled for your order, please refer to the following documentation for steps on how to verify and implement automatic renewals: https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates

Note that certificates that are generated manually (using the --manual plugin) do not have automatic renewal configured and will need to be configured manually to do so; follow the instructions in the above link to implement.

Please use the following link for more information: https://www.globalsign.com/en/repository/globalsign-acme-implementation-guide.pdf