Automating certificate management is now a crucial task for contemporary enterprises, particularly given the rapid expansion in the number of machine identities needed for a range of technologies such as IoT devices, cloud operations, APIs, containers, applications, and beyond. The Automated Certificate Management Environment (ACME) proves invaluable in this context. This blog provides an in-depth look at the fundamental aspects of ACME's operation. In this discussion, we'll explore the reasons behind the necessity for ACME, starting with a brief overview to refresh our understanding.
What is ACME (Automated Certificate Management Environment)?
The ACME Protocol (Automated Certificate Management Environment) automates the issuing and validating domain ownership, thereby enabling the seamless deployment of public key infrastructure with no need for manual intervention. Crafted by the Internet Security Research Group (ISRG) specifically for the Let's Encrypt service, its purpose is to streamline the management of certificates.
The first version of ACME, ACMEv1, was launched on April 12, 2016, facilitating the issuance of certificates for individual domains like example.com or mail.example.com. Following this, ACMEv2 was introduced on March 13, 2018, and it lacked compatibility with its predecessor, ACMEv1. This new version not only refined some of the protocol's existing features to enhance user experience but also introduced the capability to issue Wildcard SSL/TLS certificates, although this feature required adherence to a stringent DNS text record challenge. On March 11, 2019, the Internet Security Research Group (ISRG) declared that ACME had been adopted as a standardized protocol for the issuance and management of certificates, recognized as RFC 8555. Additionally, ISRG set a timeline for phasing out ACMEv1, stating that it would be "completely disabled" by June 2021.
How does the ACME certificate management protocol work?
ACME is your go-to for snagging Domain Validated (DV) certificates. Think of DV certificates as your website's ID card that doesn't dive into who's behind the site but confirms it's legit through a domain registry check. On the flip side, Organization Validated (OV) certificates are like background checks for your business, making sure you are who you say you are by matching you up with a business registry. And for those wanting the gold standard, Extended Validation (EV) certificates are the top-tier, offering the most thorough vetting process to showcase an organization's credibility.
It's worth mentioning that ACME isn't just for basic certificates; it can also help secure more advanced ones. However, when going for these higher-tier certificates, there are additional processes that run parallel to the ACME protocol's operations. The main goal of ACME is to streamline the setup of an HTTPS server by enabling it to automatically acquire a certificate trusted by web browsers, all without needing someone to manually handle the process. This magic happens through a certificate management agent installed on the web server.
In the world of ACME, there are two key players: the ACME client and the ACME server. The client leverages this protocol to carry out various certificate management tasks, like getting new certificates or canceling existing ones. This client software can operate on any server that needs trustworthy SSL certificates. The server, which is hosted by a certificate authority, handles requests from the client, executing the necessary actions once it verifies the client's authorization. Their interaction hinges on the exchange of JSON messages over a secure HTTPS connection.
ACME client configurations
Choosing the right client for ACME is crucial. The market offers a plethora of ACME client implementations, covering nearly all languages and environments. Moreover, the protocol is open, meaning no certificate authority (CA) has exclusive rights to a specific client. This openness ensures users have the freedom to select from any CA that accommodates the protocol. Among these, the Electronic Frontier Foundation's Certbot stands out as the most popular choice.
Once you have chosen the desired client, and you have installed it on your server, you will have to configure it. The procedure is fairly straightforward and requires no more than 10 minutes.
- The client prompts you to input the domain it's going to manage.
- You're presented with a selection of Certificate Authorities (CAs) compatible with the ACME protocol.
- After picking a CA, the client reaches out to it and creates a pair of authorization keys.
- The CA sets forth challenges (either DNS or HTTPS) that require the agent to perform tasks proving domain control. These challenges serve as the CA's way to confirm the agent's authority over the domain.
- Alongside these challenges, the CA sends out a nonce, a unique, randomly generated number. The agent needs to sign this nonce with the newly created private key as proof of key ownership.
Image 1: ACME client configuration. Source
After obtaining an authorized key pair, the process of requesting, renewing, and revoking certificates becomes straightforward—simply dispatch messages for certificate management and authenticate them using the authorized key pair. The procedures to issue or renew a certificate include the following steps:
- The agent creates a PKCS#10 Certificate Signing Request (CSR) to request a certificate from the CA for the approved domain, including a specific public key.
- The CSR is signed with the private key that matches the public key specified in the request.
- Additionally, the agent signs the entire CSR using the domain's authorized key to confirm its authorization to the CA.
- Upon receiving the CSR, the CA checks both signatures. If all is in order, it issues a certificate for the approved domain, incorporating the public key provided in the CSR, and sends it back to the agent.
Image 2: Certificate Issue/Renew. Source.
Revoking a certificate follows a comparable process. The agent authenticates a revocation request by signing it with the domain's authorized key pair. The CA then checks to ensure the request is valid. Once verified, it distributes the revocation details through standard channels, like OCSP, alerting parties like web browsers not to trust the revoked certificate anymore.
Image 3: Certificate Revocation. Source
Benefits and uses of ACME protocol
Josh Aas, ISRG Executive Director said that he is “excited about the potential for a 100% HTTPS Web”. This statement sketches the ultimate objective of the ACME initiative. The ISRG's membership includes Akamai, Cisco, Electronic Frontier Foundation (EFF), and Mozilla, while the group is being managed by The Linux Foundation. The group's purpose is to provide “free, automated and open security certificate authority (CA) for the public’s benefit.”
Back in 2015, when Let’s Encrypt was was just emerging as a certificate-authority force, Josh Aas, the ISRG's executive director said that "Encryption should be the default for the web. The web is a complicated place these days; it's difficult for consumers to be in control of their data. The only reliable strategy for making sure that everyone's private data and information is protected while in transit over the web is to encrypt everything. Let's Encrypt simplifies this."
That is very true. In fact, this is the justification used in the RFC8555 documentation. “Existing Web PKI certification authorities tend to use a set of ad hoc protocols for certificate issuance and identity verification. These ad hoc procedures are accomplished by getting the human user to follow interactive natural-language instructions from the CA rather than by machine-implemented published protocols. In many cases, the instructions are difficult to follow and cause significant frustration and confusion. Informal usability tests by the authors indicate that webmasters often need 1-3 hours to obtain and install a certificate for a domain. Even in the best case, the lack of published, standardized mechanisms presents an obstacle to the wide deployment of HTTPS and other PKIX-dependent systems because it inhibits mechanization of tasks related to certificate issuance, deployment, and revocation.”
What makes ACME a solution to this challenging issue? In essence, ACME streamlines the process by automatically verifying your website's ownership with the CA, securing a certificate trusted by browsers, installing it on your server, monitoring its expiration timeline, and renewing it as needed, as well as facilitating its revocation when required. The central theme here is "automation"—the groundbreaking change ACME introduces to the world of Public Key Infrastructure (PKI), enabling a more efficient management of certificates. It allows for an “extensible framework for automating the issuance and domain validation procedure, thereby allowing servers and infrastructure software to obtain certificates without user interaction. Use of this protocol should radically simplify the deployment of HTTPS and the practicality of PKIX-based authentication for other protocols based on TLS.”
Furthermore, ACME simplifies the task of selecting an alternative CA considerably. As Scott Helme rightly suggests, it's important not to rely too heavily on just one CA for all our needs. “If something happens to your CA, it could have a big impact on the availability of your site. For that reason, having a backup CA is always a good idea,” he explains in a blog of his.
Putting it in simpler terms, ACME:
- Offers its services for free, enabling domain owners to secure a trusted certificate without any expenses,
- Automates the entire certificate lifecycle management process,
- Promotes top-notch TLS security measures, aiding both CAs and website administrators in enhancing server security,
- Stands as an open standard available for widespread adoption, and
- Represents a collaborative initiative aimed at serving the community, not governed by any single entity.
It is also true that there will be opposing forces arguing that obtaining free certificates using ACME puts your organization at risk. Scott Helme has the answer: “When you look at a certificate … We care if the certificate is valid. To be valid there are various technical criteria … that must be met. There's also criteria around how it was issued that the CA must adhere to and all of this plays a part in the ultimate determination made by the browser about the certificate itself. Whether or not anyone handed over some hard-earned cash to purchase the certificate simply does not matter one bit. … There's absolutely no difference between a free certificate and one that you had to shell out some cash for.”
Setting up ACME protocol
Setting up the ACME protocol is easy, and involves merely preparing the client and then deploying it on the server that will host the PKI certificates.
- The client prompts for the domain name to be managed
- A selection of certificate authorities (CAs) compatible with the protocol is provided by the client
- Upon choosing a CA, the client proceeds to create a pair of private keys
- The chosen CA then sets forth either DNS or HTTPS challenges to verify the user's identity
- A nonce, a unique random number, is dispatched by the CA for the client to authenticate using its private key
Why go with ACME instead of other certificate automation protocols?
ACME is one of many protocols for automating certificate management, Others include Enrollment over Secure Transport (EST), Simple Certificate Enrollment Protocol (SCEP), and systems integrated within enterprise frameworks like Microsoft Active Directory. What sets ACME apart, making it the preferred choice for many businesses over these alternatives?
Security teams rely on ACME more and more to help them address their scale and complexity challenges as it offers:
- A widely accepted open standard featuring strong error handling, simplifying adoption for enterprises and CAs alike
- Adherence to industry-leading practices in TLS and PKI management, benefiting IT teams responsible for deploying and overseeing valid PKI certificates as well as CAs committed to rigorous verification processes
- Support from an extensive community, free from the influence of any one company or entity
- The ability to easily integrate and manage alternate or backup CAs, enhancing CA flexibility
- Affordability, with no associated costs for usage
Venafi is a firm advocate of certificate lifecycle management automation. Venafi TLS Protect Cloud can operate as an ACME server that supports automated certificate enrollment and installation with the added benefit of global visibility and machine identity intelligence. If you want to learn more about it, contact the PKI experts.
(This post has been updated. It was originally published on August 8, 2019.)