Certificate automation has become an essential process for modern businesses, especially if you consider the exponential growth of machine identities each enterprise requires for IoT devices, cloud workloads, APIs, containers, applications and more. This is where Automated Certificate Management Environment (ACME) comes in handy.
You can read all about the key points of how ACME works in this blog. Here, I am going to discuss why you need ACME. But first, a quick refresher.
What is the ACME protocol?
ACME is a protocol for automating the certificate lifecycle management processes between Certificate Authorities (CAs) and a company’s PKI-supported systems—web servers, email systems and machines. The ACME protocol is free and provides a no-hassle way for IT teams to configure and execute their certificate management automation. Because of these benefits, ACME is increasingly adopted by enterprises of all sizes.
The Internet Security Research Group (ISRG) originally designed the ACME protocol for its own Let’s Encrypt certificate service. Today the protocol has become a standard (RFC 8555). ACME v2 is the current version of the protocol, published in March 2018. The previous version, ACME v1, was deprecated on June 1st, 2021. On September 15, 2021, the DNS records for acme-v01.api.letsencrypt.org were removed.
The ACME protocol automates the process for exchanging the information necessary for the CA to authenticate and issue certificates, and for the user to deploy the issued certificates. In addition, the protocol enables other certificate lifecycle management use cases like certificate revocation and renewal, using simple JSON-formatted messages over encrypted HTTPS communications.
Why use the ACME protocol?
While digital machine identities are the easiest and strongest method to authenticate machines and encrypt machine-to-machine communications, many organizations are still struggling with manually deploying and managing certificates. This entails risk: using spreadsheets or home-grown solutions to manually track certificates is dicey. More often than not, these organizations experience unexpected outages caused by expired or misconfigured machine identities.
Whether an enterprise deploys a single TLS/SSL certificate for a web server or manages millions of certificates across all distributed and connected devices, the manual process of certificate issuance, configuration, and deployment can take up to several hours. Manually managing certificates also puts enterprises at significant risk of certificates being forgotten and of blurred visibility and ownership, resulting in sudden outages or failure of critical business systems along with data breaches and Man-in-the-Middle attacks (MITM).
Despite the increasing use of modern, agile computing environments, many businesses continue to deploy, and manage certificates using techniques which are not adequate to meet the increased demands of today’s fast-paced environments. And that’s one of the advantages that the ACME protocol documentation highlights:
“Existing Web PKI certification authorities tend to use a set of ad hoc protocols for certificate issuance and identity verification. These ad hoc procedures are accomplished by getting the human user to follow interactive natural-language instructions from the CA rather than by machine-implemented published protocols. In many cases, the instructions are difficult to follow and cause significant frustration and confusion.”
With so many potential pitfalls inherent in managing PKI certificates manually, enterprises need to embrace automation. And standards like ACME can help ensure certificates are correctly configured without any human intervention. In general, automation not only helps reduce certificate management risks and challenges but also allows IT departments to control operational costs.
Why go with ACME instead of other certificate automation protocols?
ACME is not the only certificate automation protocol. Other automation standards include the Enrollment over Secure Transport (EST) and the Simple Certificate Enrollment Protocol (SCEP) as well as solutions associated with enterprise architectures like Microsoft Active Directory. Why is ACME more popular among enterprises than the other automation standards?
Security teams rely on ACME more and more to help them address their scale and complexity challenges as it offers:
- An open standard with robust error handling, making it easy to adopt both by the enterprise and CAs
- Industry best practices for TLS and PKI management for both IT teams tasked with implementing and managing valid PKI certificates and CAs that adhere to strict authentication procedures
- Ongoing support by a community, not controlled by a single vendor or organization
- CA agility with flexibility to add and support backup CAs
- Low cost, being free to use
How can Venafi help?
Venafi Trust Platform can operate as an ACME server that supports automated certificate enrollment and installation with the added benefit of global visibility and machine identity intelligence. Developers can also use cert-manager with ACME in container environments. Jetstack, a Venafi company, created cert-manager and it has since become the leading open-source tool to automate the management and issuance of TLS certificates in Kubernetes and Open Shift environments. When developers create a new ACME Issuer, cert-manager will generate a private key which is used to identify them with the ACME server. If you want to learn more, contact our experts.