Introduction to CaaS
Certificate as a Service (CaaS) provides automated certificate issuance, validation, and lifecycle management via the ACME protocol. By subscribing for specific domain names, you or your customer can use an ACME client to obtain an unlimited number of certificates for those domains at no additional cost during the subscription period. This service is designed for both reselling and direct use, enabling partners to integrate it into their own offerings or utilize it for their own infrastructure needs.
CaaS supports Domain Validation (DV) SSL, Organization Validation (OV) SSL, Extended Validation (EV) SSL, and eIDAS QWAC‑Legal certificates.
The maximum (and default) duration of a certificate issued through CaaS is 90 days.
CaaS offers two subscription models:
-
Standalone domain model — A customer purchases and pays for each domain added to the subscription individually. Charges are calculated proportionally, similar to adding additional domain names to multi-domain certificates.
-
Bundle-based model — A customer purchases a bundle, which is a predefined number of domains bought in a single transaction, and pays once at the time of purchase. Domains can then be added throughout the subscription period without additional charges, provided that sufficient domain capacity is available.
The certificates requested for subscribed domains are not charged separately.
All domains associated with the same external account binding (EAB) credentials share the same expiration date, making renewals easier to manage.
For detailed information about subscription models, bundle capacity, and subscription management, see Subscription overview.
The ACME accounts are used to get as many certificates for the subscribed domains as needed during the subscription period. Once the ACME client is set up and the domain subscription for the relevant ACME accounts is started, the domains will be secured with automated, self-renewing certificates throughout the subscription period. There’s no need for copying or pasting CSRs, manually validating domains, waiting for emails, or reminding users to renew certificates after a year.
Capabilities
You or your customer can use an ACME client registered with external account binding (EAB) credentials obtained via CaaS to access its functionality. These functionalities primarily include certificate lifecycle management, such as requesting, renewing, and revoking certificates, and ACME account operations, such as registering and unregistering.
CaaS provides administration capabilities to Sectigo partners via a single API endpoint. These capabilities include managing ACME accounts linked to their Sectigo Partner account, handling subscriptions used for certificate lifecycle management, and accessing reporting features. This includes the following:
-
ACME accounts management
-
Pre-registration of ACME accounts — Provides you with the external account binding details which should be used when registering an ACME account. The accounts registered this way are tied to your Sectigo Reseller account and can be managed by you.
-
Permanent deactivation — Provides an ability to deactivate an ACME account, all ACME accounts that share the external account binding details, or all ACME accounts tied to your Sectigo Reseller account.
-
Suspension and unsuspension — Provides ability to suspend and potentially unsuspend an ACME account, all ACME accounts that share the external account binding details, or all ACME accounts tied to your Sectigo Reseller account.
-
-
Subscription management
Subscription management depends on the subscription model. Some actions are available in both subscription models, while others apply only to a specific model. The behavior of individual actions may also vary depending on the subscription model.
At a high level, subscription management includes:
-
Adding domain names to the subscription — Enables the ACME client to start requesting certificates for the added domain.
-
Removing domain names from the subscription — Removes the ability of the ACME client to request certificates for the domain.
-
Extension of subscription — Extends the subscription by adding additional year(s) to the current expiry date.
-
Adding bundles — (Bundle-based model only) Purchasing domain slot capacity for the subscription.
-
Canceling the subscription — (Bundle-based model only) Cancels the service for the specified EAB credentials and removes all domains and bundle capacity from the subscription.
-
-
Organization pre-validation management
-
Re-assignment of organization pre-validations — Provides a way to update the organization pre-validation linked to the relevant domain names.
-
Auto-renewal and auto-reassignment of organization pre-validations — Ensures that organization validations remain active during the subscription period. This eliminates the need to track expiry dates, place orders for new organization pre-validations, or re-assign them to the relevant domain names once validated and activated.
If organization pre-validation is used for both OV SSL and EV SSL issuance, it is not downgraded from EV to OV during auto-renewal.
-
-
Reporting facilities
-
Domain names that have been added to the subscription, and so are made available to the ACME account, as well as to any other ACME accounts that share the same EAB details.
-
ACME servers that are available for your Sectigo Reseller account to use.
-
Details of the ACME accounts associated with your Sectigo Reseller account.
-
Details of the ACME account bindings belonging to your Sectigo Reseller account.
-
Transaction history for any of your CaaS subscriptions, including details such as the transaction date, debited amount, associated domain, and subscription period.
-
Last order details for each domain in the active subscription, including details such as order date, order status, and certificate validity period.
-