What is ACME?

Automated Certificate Management Environment is a communications protocol that uses an agent to automate the CSR creation and certificate/key rotation processes. It is largely utilized by Let’s Encrypt as part of their business model of providing 90-day Domain Validated certificates (since Organizational Validation and Extended Validation certificates require human supervision to issue, negating the point of ACME) and automated renewals.

The protocol was created by the Internet Security Research Group (ISRG) for the Let’s Encrypt CA and is free to use as an open-source utility. While Let’s Encrypt initially only used ACME to issue x.509 (SSL/TLS) certificates, other CAs, PKI vendors, and browsers are now beginning to support ACME for other types of certificates (S/MIME, Code-signing). However, in order to use them, the CA must have access to the published DNS/HTTPS token. As a result, it is better suited for use as an internal PKI issuance technique.

How Does It Work?

The ACME protocol is intended to allow you to set up an HTTPS server and have it automatically receive a certificate without the need for any human participation. This is accomplished by installing and executing a certificate management agent on the web server. To further understand the ACME protocol, consider how a certificate authority (CA) issues a domain verified (DV) TLS/SSL certificate for website security:

1. The web Administrator sends the CA the CSR and domain information and requests the certificate.
2. The CA will usually request proof that the web administrator has authority over the domain name. For example, the web administrator can check the domain’s DNS TXT record and confirm control. It is usually a computerized procedure.
3. The CA will issue a certificate that may be obtained from the CA site once the domain controller has been validated.
4. The certificate is obtained and installed on the web server.

ACME protocols replicate the manual process and automate it to the point where no user participation is required. This procedure consists of two phases. First, the agent verifies to the CA that the web server is the owner of a domain. The agent is then able to request, renew, and revoke certificates for that domain. Here is a detailed process flow that illustrates how it works.

What are the benefits of using ACME?

Fewer Configuration Mistakes

Because no human participation is required, there are no possible errors while issuing, renewing, installing, or revoking certificates. This may also result in less net downtime.

Increased Security

The protocol makes it easier to employ limited validity DV certificates, shortening the renewal cycle and thereby improving security.

Quick CA and Key Migration

As more commercial CAs implement ACME, customers can quickly migrate to another CA in the case of a breach; the agent can even replace all old certificates with new ones from the new CA.

Cost Savings: Automating certificate processes saves time and effort, and hence money. Furthermore, the protocol is open-source and completely free to use.

Does ACME support only DV certificates?

This is because DV certificates do not need advanced verification from the requester prior to the issue. Only the domain’s existence is certified, and this is done without any human participation. Greater classes of certificates that give a higher level of confidence (EV certificates, for example) need verification by the requester themselves – the procedure is carried out by a real person and can take days. The requirement for manual involvement negates the use of ACME, which is why DV certificates are the most usually produced.

However, ACME may also be used to request other types of certificates. To do this, additional processes must act in tandem with the ACME agent. You must be verified by the CA (using the required protocols for EV or OV certification) and renew the validity every two years (or whenever it expires). Aside from that, the procedure stays unchanged.