Certificate management and automation of the certificate lifecycle is a key component that is necessary to protect your environment from outages and security breaches. Protocols play important role in this process, whether standardized or proprietary.
We are pleased to announce that the CZERTAINLY platform now fully supports the ACME (Automatic Certificate Management Environment) protocol.
When ACME meets CZERTAINLY, both of them become stronger. Further in this article, we will explain why. But let’s start from the beginning.
What ACME exactly is?
ACME protocol in its final version is defined by RFC 8555 – Automatic Certificate Management Environment (ACME).
The purpose of this protocol is to support automated requesting, validating, and issuing of certificates mainly for web servers that can prove the ownership of the domain resources. It was designed by the Internet Security Research Group (ISRG) for the Let’s Encrypt service that became a standard for many services due to its simplicity and low cost.
There are 2 main components in ACME:
- ACME server that accepts the requests from clients, manages accounts, and validates the challenges that proves the ownership of the domains. In case the authorized client proves the challenge, certificate is issued by certification authority and downloaded by the client.
- ACME client is responsible to comply with the terms of service and generate its own key pair and certificate signing request. Once the challenge is generated by the ACME server, it must prove its ownership by one of the allowed and supported methods (typically using HTTP resources or validating ownership of DNS records).
You can find many implementation of the ACME clients, some of the most popular are Certbot, acme.sh, or cert-manager for Kubernetes.
We are not going to explain in detail how ACME works. You can find many detailed articles about that on the web and in the RFC 8555. Let’s take a look how it works with CZERTAINLY.
ACME and CZERTAINLY
The CZERTAINLY platform implements protocols for consistent and secure certificate management. You can use protocols independent on the used technologies. This provides high level of flexibility and seamless migration if necessary.
From a different perspective, platform works as a proxy between the clients that use protocols and PKI core technologies such as certification authorities. The benefits of this approach and setup are:
- easy and convenient migration between technologies without impact or effort necessary on the client side consuming services
- agility in switching between different technologies in case of obsolete encryption algorithm or revoked certificates
- consistent and compliant certificate management in hybrid environments
- full control of the certificate lifecycle and its usage
For ACME implementation it means, that CZERTAINLY supports issuing certificates not only for web servers, but also for clients, IoT devices, and many more.
As the CZERTAINLY platform is technology-agnostic, you can start using ACME consistently for any certification authority, including the Microsoft ADCS.
ACME Profiles and Accounts
For the management of the ACME, our platform defines two objects:
- ACME Profile, that contains configuration of the ACME server and effectively creates an instance of the ACME server and
- ACME Account, that represents registered ACME client that is authorized to consume services from the ACME server that behaves according to the configuration of ACME Profile
Using the ACME Profiles and Accounts, you have the full control of the certificates deployment on different certification authorities. The ACME Accounts can be disabled or enabled, without an impact on their status defined by the RFC 8555. This gives you a better control for ACME Account without the need to revoke and create new.
ACME and RA Profiles
CZERTAINLY implementation of ACME provides a flexibility for the clients and administrators to choose between running ACME endpoints that are bound to our unique concept of RA Profile.
You can configure ACME Profile with or without RA Profile and/or you can enable ACME API for any particular RA Profile only. There are 2 ACME APIs that are implemented in the platform:
- ACME Profile ACME API – To use ACME Profile directly from the client. In this case, the ACME Profile is configured with default RA Profile, that is used to manage certificates
- RA Profile ACME API – Any RA Profile can have enabled specific ACME Profile. The ACME API is in this case managed by the RA Profile and you do not have to configure it as a default for ACME Profile
These APIs covers all use cases for the setup of ACME clients. To decide which one to use, there are simple rules:
if you would like to allow ACME clients to work only with one specific RA Profile then use RA Profile ACME API
if you would like to have the flexibility in changing the RA Profile which is used by the ACME client, then use ACME Profile ACME API
With this approach, the ACME and CZERTAINLY together forms a very strong partnership that can help you with almost any use case and brings benefits of automated certificate management. Using any technology!
Start using the CZERTAINLY
CZERTAINLY platform and the ACME implementation are open source. You can download the source code from our GitHub repositories.
We believe that this is an important contribution to the world of digital certificates, public key infrastructure, and automation of certificate management related tasks!
Other resource that will help you to start with the platform and ACME are:
In case you would like to know more, do not hesitate and get in touch with us! We are open to collaboration, improvement of the platform, extending its functionality, and support for many different technologies.
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.