Automatic Certificate Management Environment (ACME)
Automatic Certificate Management Environment (ACME) is a protocol and framework that's published by the IETF in RFC 8555 and which can be used for the signing and creation of certificates where domain validation is required.
The protocol uses JSON formatted messages over HTTPS with a CA to handle validation of domain ownership automatically by having the ACME client perform an action that can only be done with control of the domain name. For example, the CA could either request the provision of a DNS record, or could request a specific HTTP resource to be made available on a web server at the domain name.
After the CA validates that the entity requesting a certificate has ownership of the domain, the CA can sign the certificate that's sent to it by the ACME client. Typically, the client can automatically install the certificate at a location that's usable by services running on the system.
ACME lowers the cost and complexity associated with managing public key infrastructure. Sometimes, obtaining signed certificates for systems within domains can be free, depending on the selection of CA. For example, Let's Encrypt, the originator of the ACME protocol, provides a free and open CA service. Other commercial CAs are also starting to offer free ACME based certificates.
While the first version of the ACME protocol could be used to create only single domain
certificates, ACME v2 can be used for the creation and signing of certificates with wildcard
domains, such as *.example.com
. Therefore, you can use a single certificate
across all subdomains. Note that ACME only validates domains. If you need certificates that
require more validations, you might need signed certificates from an established CA that
offers services beyond ACME.
If you need to create and issue certificates across an infrastructure to use TLS/SSL
protected services, consider using a CA that works with ACME and using an ACME client. ACME
can automatically generate the key pairs and CSR, submit the CSR to a CA for validation,
perform any validation steps for the CA, and obtain the signed certificate and store it
somewhere that's accessible to services and applications. Many clients automatically set
periodic cron
tasks to check for certificate expiry and to automatically
request a new certificate before the current certificate expires.