ACME protocol explained

The ACME protocol provides the ability to automatically enroll and provision a new SSL/TLS certificate on a web server, renew a certificate nearing expiration and revoke the certificate in the event of key compromise or web service discontinuation.

What are SSL/TLS certificates?

SSL is a short form of Secure Sockets Layer, which is a security protocol, was designed to ensure data privacy and encryption for application, and internet communications. The SSL is currently deprecated and has been replaced entirely by Transport Layer Security (TLS).

The most widely used case of TLS is in combination with Hyper Text Transfer Protocol (SSL over HTTP (or) HTTPS), securing the communication between Web Servers hosting websites and the client browsers to protect the data transfer between the systems during online transactions. Other than HTTPS, TLS is used in other communication protocols like Simple Mail Transfer Protocol (SMTP), NTP (Network Time Protocol), VoIP (Voice over Internet Protocol), and more.

ACME protocol overview

The Automated Certificate Management Environment protocol (ACME) is a protocol for automating certificate lifecycle management communications between Certificate Authorities (CAs) and a company’s web servers, email systems, user devices, and any other place Public Key Infrastructure certificates (PKI) are used. The ACME protocol has no licensing fees and requires very little time for IT teams to configure and execute their certificate management automation, making it an increasingly adopted component of enterprise security.

The Internet Security Research Group (ISRG) originally designed the ACME protocol for its own certificate service and published the protocol as a full-fledged Internet Standard in RFC 8555 by its own chartered IETF working group. ACME v2 is the current version of the protocol, published in March, 2018.

The basis for PKI certificate issuance is that Certificate Authorities, like Sectigo, are trusted to authenticate that a certificate user legitimately represents the identities and domain name(s) associated with the PKI certificate. The process for exchanging information necessary for the CA to perform that authentication and issue certificates, and for the user to then deploy the issued certificates, is automated using the ACME protocol, rather than communicating this information manually. In addition to the certificate issuance process, the protocol also enables other certificate lifecycle management use cases like certificate revocation and renewal, using simple JSON-formatted messages over encrypted HTTPS communications.