Introduction to CaaS

Certificate as a Service (CaaS) provides automated certificate issuance, validation, and lifecycle management via the ACME protocol. By subscribing for specific domain names, whoever operates the ACME client can obtain an unlimited number of certificates for those domains at no additional cost during the subscription period. This service is designed for both reselling and direct use, enabling partners to integrate it into their own offerings or utilize it for their own infrastructure needs.

CaaS offers Domain Validation (DV) SSL certificates. Organization Validation (OV) SSL certificates are planned to be supported in the future.

The maximum (and default) duration of a certificate issued through CaaS is 90 days.

Billing occurs on a per-domain basis, allowing for domain names to be added or removed from the subscription. The charges for adding a domain name are calculated proportionally, similar to adding additional domain names to multi-domain certificates. The certificates requested for the added domains are not chargeable.

The ACME accounts are used to get as many certificates for the associated domains as needed during the subscription period. Once the ACME client is set up and the domain subscription for the relevant ACME accounts is started, the domains will be secured with automated, self-renewing certificates as long as the subscription fees are paid. There’s no need for copying or pasting CSRs, manually validating domains, waiting for emails, or reminding users to renew certificates after a year.

Capabilities

Anyone operating the ACME client registered with external account binding (EAB) credentials obtained via CaaS, whether you or your customer, can access its functionalities. These functionalities primarily include certificate lifecycle management, such as requesting, renewing, and revoking certificates, and ACME account operations, such as registering and unregistering.

CaaS provides exclusive capabilities to Sectigo partners via a single API endpoint. These capabilities include managing ACME accounts linked to their Sectigo Partner account, handling subscriptions used for certificate lifecycle management, and accessing reporting features. This includes the following:

  • ACME accounts management

    • Pre-registration of ACME accounts — Provides you with the external account binding details which should be used when registering an ACME account. The accounts registered this way are tied to your Sectigo Reseller account and can be managed by you.

    • Permanent deactivation — Provides an ability to deactivate an ACME account, all ACME accounts that share the external account binding details, or all ACME accounts tied to your Sectigo Reseller account.

    • Suspension and unsuspension — Provides ability to suspend and potentially unsuspend an ACME account, all ACME accounts that share the external account binding details, or all ACME accounts tied to your Sectigo Reseller account.

  • Subscription management

    • Adding domain names to the subscription — After this step and ACME account registration, the ACME client can start requesting certificates for the added domain.

    • Removing domain names from the subscription — Removes the ability of the ACME client to request certificates for the domain.

    • Extension of subscription — Extends the subscription by adding another year to the current expiry date.

  • Reporting facilities

    • Domain names that have been added to the subscription, and so are made available to the ACME account and to any other ACME accounts that share the same EAB details.

    • ACME servers that are available for your Sectigo Reseller account to use.

    • Details of the ACME accounts tied to your Sectigo Reseller account.

    • Details of the ACME account bindings belonging to your Sectigo Reseller account.