Sectigo ACME integration

This section covers instructions on the following items for both private and public CA ACME setup. For steps where some differences were identified are included with extra notes for clarification.

  • Authenticate to SCM Portal and create ACME account

    • Create a new organization

    • Create a new domain

    • Delegate domain to organization (optionally to department)

    • Create a new ACME account

    • Save the EAB values for ACME client registration

  • Auto-enrollment instructions for

    • IIS (Windows) using Win-ACME client

    • Apache (Debian) using Certbot

  • Manual enrollment instructions for Lego (Windows)

  • Validation of the SSL/TLS certificate installation on the web servers

  • Additional commands for certificate renewal and revocation

Prerequisites

  • SCM registration is completed, and administrator credential is received securely.

  • Apache server is already installed on the Linux system and listening on port 80.

  • IIS service is enabled and listening on port 80.

Test configuration

  • Organization Name: SectigoSolutionsEngineering

  • Domain Names: example.webserver.com, example.apacheserver.com, and example.nginxserver.com

  • ACME Account: SolutionsEngineering

  • Hostname(s) and Alias: example.webserver.com, example.apacheserver.com, and example.nginx.com

  • Apache server can be accessed via http://example.apacheserver.com

  • Test machine is configured to connect to the internet to access Sectigo Endpoint URL

ACME account creation on SCM

  1. Log in to the SCM Portal using the administrator credentials (MRAO) provided to your organization.

    You can get the appropriate SCM URL and MRAO credentials for your organization from Sectigo Sales or Support.
    SCM login screen
  2. Successful authentication to the portal will land you on the main page of SCM.

  3. (Optional) Select your organization and expand the organization list to see if there is a department already created. Alternatively, you can create departments based on your requirements.

  4. Click Domains to see whether there are any pre-validated domains.

    SCM Domains page
  5. To create a new domain to be used to host the web server for public access, click Add.

    SCM Create Domain page
  6. Click Save.

  1. Click on the Domains tab and select your new domain from the list.

    SCM Domains tab with the new domain
  2. Click Delegate.

  3. Select the appropriate Organizations and Departments.

    SCM Delegate Domain page
  4. Click Save.

  5. For PRIVATE CAs, skip this step. Otherwise, continue with the sub-steps:

    1. Select your new domain for domain validation and click Validate.

      SCM DCV page
    2. Select the appropriate DCV method as per your initial setup.

      SCM select DCV Method
      The following steps assume that you selected Email as the DCV method.
    3. Click Next.

    4. From the Select an email address menu, select a registered email.

    5. Click Submit.

      SCM DCV select registered email

      A message confirms that the validation letter was sent to your selected email.

    6. Click OK.

    7. Follow the instructions provided in the email to validate your domain.

      Once the domain is validated, it will change to Validated on the SCM Domains page.

      SCM DCV domain validated
  6. Click Enrollment.

  7. Click ACME.

    SCM Enrollment Endpoints
  8. Select Universal ACME or Sectigo Public ACME.

    The options available depend on how your account was configured. For more information, please contact your account administrator.
    SCM select endpoint
  9. Click Accounts.

    SCM ACME Accounts
  10. Click Add and provide the following details:

    • Name: A name for the ACME account

    • Organization: The organization to be associated with the ACME account

    • Department: (Optional) The department to be associated with the ACME account

      Sectigo recommends creating one ACME account for every public facing server.
      SCM Create ACME Account page
  11. Click Save.

    External Account Binding (EAB) is now created for the new ACME account.

    Make sure to save the following values for Client registration:

    • ACME URL

    • Key ID

    • HMAC Key

    Once the client is successfully registered, this value will be erased from the system.

    SCM ACME Account details
  12. Click Close.

We have successfully created a new ACME account for the domain example.webserver.com. We will use example.apacheserver.com and example.nginxserver.com for further testing.

ACME client integration with Sectigo ACME Services

This section covers details on the ACME clients tested configuration with Sectigo private and public ACME services. The following clients were tested on the Windows 2016 Standard Server and Debian 10 64-bit operating systems:

  • Auto-enrollment of SSL/TLS on Apache Server website using Certbot (Linux)

  • Auto-enrollment of SSL/TLS on IIS Server website using Win-ACME (Windows)

  • Manual enrollment of SSL/TLS on Nginx using Lego (Linux)

  • Manual enrollment using Certbot

  • Auto-Renewal and Revocation using Certbot

Enabling SSL on Apache Server (Linux) using Certbot - auto-enrollment

Auto-enrollment with Certbot on Apache Server

Install Certbot on Debian 10 OS

The commands given here are relevant to Debian OS. For commands relevant to your environment, see Certbot.
  1. Log in to the Linux system.

  2. Check that the apache service is running and listening on port 80.

    systemadmin @example:~# sudo systemctl status apache2
    Apache service status
    Execute the commands using an account with elevated rights.
  3. Open a browser and check that the apache default page can be accessed.

    Default Apache page
  4. Run the following command to check if Certbot is already installed.

    systemadmin @example:~# certbot -version
    Output:
    certbot 0.31.0
  5. If Certbot is not installed, run the following commands.

    systemadmin @example:~# sudo apt-get install software-properties-common
    systemadmin @example:~# sudo apt-get update
    systemadmin @example:~# sudo apt-get install Certbot
  6. Install the Certbot Apache plugin to enable auto-enrollment for certificates.

    systemadmin @example:~# sudo apt-get install python-certbot-apache

Register Certbot with Sectigo ACME server for certificate issuance

The following table provides a subset of common Certbot commands. A complete list of Certbot commands can be found in the Certbot documentation.

Options Definitions

register

Register a Sectigo ACME account

certonly

Initiates the enrollment of a certificate

run

Obtains and installs a certificate in your current web server

--server <URL of ACME server

Specifies the ACME server for DV/EV/OV SSL certificates

--domain -d

Indicates the domains to be included. Multiple domains can be added with additional domain tags. The initial domain is treated as the subject CN of the certificate. All subsequent domains are SANs on the certificate.

renew

Renews all previously obtained certificates that are near expiry

revoke

Revokes a certificate regardless of the remaining time until expiration

--force-renewal

Renews a certificate regardless of the remaining time until expiration

--expand

Updates an existing certificate with a new certificate that includes one or more new domains

--non-interactive

Runs the command line without requesting further user input. This may require the addition of other commands, such as --agree-tos.

--agree-tos

Indicates that you agree to the Sectigo ACME terms of service

--eab-kid

Specifies the key identifier for external account binding. This is the EAB Key in an SCM ACME account.

--cert-name

Specifies the name for returned certificate in your system

This is the name of the certificate folder where certificates are stored.

unregister

Unregister an SCM ACME account. Once unregistered, the ACME account is deactivated on the ACME server and cannot be restored.

The following steps provide instructions for Apache Authenticator to auto-enroll certificates to the Apache web server to enable HTTPS.

  • Run the following command to register the ACME Account and provision the certificate on the Apache web server.

    systemadmin @example:~# sudo certbot --apache --non-interactive --agree-tos --email [email protected] --server https://acme-qa.secure.trust-provider.com/v2/DV --eab-kid JfGQUcPqpUE_eIzROsiNEg --eab-hmac-key YLVw7sj5cj5EurPd_DgoqkKOrjJJWUu7b9Xp6i_jKlTyc-PSpRn0woCVra-LrRUfiEAoV3rKFS4wZfqXh5nbaA --domain example.apachewebserver.com --cert-name ApacheSSLCertificate
    • The --server, --eab-kid, and eab-hmac-key values in this command are based on the values received from the ACME account registration on SCM. As such, they must be replaced with your appropriate values.

    • The domain name should match one of the domains of the organization that was validated and delegated to the organization.

      ACME Account details

The certificate is successfully create and installed on the Apache web server automatically.

Certificate created and installed on the Apache web server

Verify the auto-enrollment of SSL certificates on an Apache server

  1. Navigate to etc/letsencrypt to view the registered ACME account information and corresponding certificates and keys.

    Registered account information and details
  2. Run the following command to connect to the Apache web server to verify the SSL status.

    openssl s_client -connect example.apachewebserver.com:443
    Verify SSL status on Apache Webserver

    The SSL certificate is now automatically installed on the apache server and the website example.apachewebser.com is enabled with SSL.

  3. Verify the Apache folder for SSL enablement and configuration by running the following command.

    systemadmin @example:~#:/etc/apache2/site-available
    
    systemadmin @example:~#:/etc/apache2/sites-available# ls al
    total 24
    drwxr-xr-x 2 root root 4096 Mar  4 16:09 .
    drwxr-xr-x 8 root root 4096 Mar  4 16:09 ..
    -rw-r--r-- 1 root root 1332 Aug  8 2020 000-default.conf
    -rw-r--r-- 1 root root 1563 Mar  4 16:09 000-default-le-ssl.conf
    -rw-r--r-- 1 root root 6338 Aug  8 2020 default-ssl.conf
    
    systemadmin @example:~#:/etc/apache2/sites-available# cat 000-default-le-ssl.conf
    
    <IfModule mod_ssl.c>
    <VirtualHost *:443>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com
    
    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    
    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    
    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    
    ServerName example.apachewebserver.com
    SSLCertificateFile /etc/letsencrypt/live/ApacheSSLCertificate/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/ApacheSSLCertificate/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    </VirtualHost>
    </IfModule>

The Apache Server is running on SSL using newly enrolled certificate from the Sectigo ACME server.

Certbot commands for manual-enrollment

Certbot auto-enrollment on Apache
Standalone authenticator for single domain
certbot certonly --standalone --non-interactive --agree-tos --email <CUSTOMER_EMAIL>@<DOMAIN.COM> --server <ACME Server URL> --eab-kid <keyID> --eab-hmac-key <HMAC Value> --domain <domain name> --cert-name <Custom Certname>
Standalone authenticator for multi-domain certificates
certbot certonly --standalone --non-interactive --agree-tos --email <CUSTOMER_EMAIL>@<DOMAIN.COM> --server <ACME Server URL> --eab-kid <keyID> --eab-hmac-key <HMAC Value> --domain <domain name> --domain <domain name> --domain <domain name> --cert-name <Custom Certname>
First domain value will be added to the Common Name of the certificate and all the domain names will be added to the Subject Alternative Name extension of the certificate.
Apache authenticator/installer
certbot --apache --non-interactive --agree-tos --email <CUSTOMER_EMAIL>@<DOMAIN.COM> --server <ACME Server URL> --eab-kid <keyID> --eab-hmac-key <HMAC Value> --domain <domain name> --cert-name <Custom Certname>
Apache authenticator/installer for multi-domain certificates
certbot --apache --non-interactive --agree-tos --email <CUSTOMER_EMAIL>@<DOMAIN.COM> --server <ACME Server URL> --eab-kid <keyID> --eab-hmac-key <HMAC Value> --domain <domain name> --domain <domain name> --domain <domain name> --cert-name <Custom Certname>
Nginx authenticator/installer
certbot --nginx --non-interactive --agree-tos --email <CUSTOMER_EMAIL>@<DOMAIN.COM> --server <ACME Server URL> --eab-kid <keyID> --eab-hmac-key <HMAC Value> --domain <domain name> --cert-name <Custom Certname>
Nginx authenticator/installer for multi-domain certificates
certbot --nginx --non-interactive --agree-tos --email <CUSTOMER_EMAIL>@<DOMAIN.COM> --server <ACME Server URL> --eab-kid <keyID> --eab-hmac-key <HMAC Value> --domain <domain name> --domain <domain name> --domain <domain name> --cert-name <Custom Certname>
Force-renewal of certificate using the Apache authenticator
certbot certonly --force-renewal --apache --non-interactive --agree-tos --email <CUSTOMER_EMAIL>@<DOMAIN.COM> --server <ACME Server URL> --domain <domain name> --cert-name <Custom Certname>
Duplicate certificate using the Apache authenticator
certbot certonly --duplicate --apache --non-interactive --agree-tos --email <CUSTOMER_EMAIL>@<DOMAIN.COM> --server <ACME Server URL> --domain <domain name> --cert-name <Custom Certname>
Revoking an existing certificate
certbot revoke --cert-path /etc/letsencrypt/archive/<CertificateFolderName>/cert1.pem –reason unspecified
Unregister an existing ACME Account from the system
certbot unregister --domain scmexample.com -account <ACCOUNT ID>
ACCOUNT ID is the name of the folder stored at /etc/letsencrypt/accounts/acme-qa.secure.trust-provider.com/v2/DV. This value must match the folder name exactly.

Auto-renewal configuration for the certificate

Renewal is an important step of this process, is to allow the certificate to auto renew to prevent the expiry of the certificate.

The process can be automated using cronjob in Linux. A cron file gets automatically added on installation to /etc/cron.d/certbot.

Update the content of the cron file.

SHELL=/bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */24 * * * root certbot -q renew --apache

This will run the renew process once a day, checks for renewal status and renews the certificate automatically during the renewal period. The -q flag is provided to prevent any output being logged.

More information on certificate management and custom configurations can be found in the Certbot’s documentation.

Verify the issuance of SSL certificates on SCM

Certificates enrolled via the Sectigo ACME service are considered external in SCM. These certificates can be revoked from within SCM as they have been issued by Sectigo CA.
  1. Log in to SCM.

  2. Click Certificates and select the appropriate certificate type.

    SCM Certificates page

    The newly issued certificate is listed in the list of certificates.

    SCM new SSL certificate
  3. Select the appropriate certificate and click View.

    SCM Certificate Details

    You can revoke certificates by selecting the appropriate certificate and clicking Revoke. This triggers a new revocation update by the respective CA to prevent further usage of the certificate.

    SCM Revoked certificate

Enabling SSL on IIS Server (Windows) using Win-ACME - auto-enrollment

Win-ACME auto-enrollment on IIS

Win-ACME installation on Windows

Execute the following instructions using account(s) with elevated rights.
  1. Download Win-ACME

  2. Extract the downloaded files to your local folder (for example, to C:\Users\Administrator\win-acme.v2.1.15.1008.x64.pluggable).

Win-ACME comes with two configuration files: settings.json and settings_default.json.

You can customize the certificate attributes in the settings.json as per your certificate requirements. For example, you can change the key size of the signature algorithm in the Security section.

Win-ACME registration with Sectigo ACME Server for certificate issuance

  1. Make sure IIS is running and listening on port 80.

  2. Open the IIS Administrator Console and select browse to open the default webpage.

    IIS default webpage
  3. Check the IIS bindings to ensure there is no port 443 enabled already.

    IIS bindings
  4. Open a Windows Command Prompt as an Administrator.

  5. Change directory to C:\Users\Administrator\win-acme.v2.1.15.1008.x64.pluggable.

  6. Execute the following command to auto-enroll certificates on IIS using the Win-ACME client.

    wacs.exe --baseuri https://acme.demo.sectigo.com --verbose --accepttos --emailaddress [email protected] --eab-key-identifier 646ed8e2112150afa64aea43be2c901e --eab-key YjJLdlJEMTdxdmNWa3piNk9FQTRtb1Fyc3l1UklkY0pNU1pudEp1TmhrTVZBSVNS

    Select all default options to auto-enroll certificates on the IIS Server.

    IIS command prompt

Validate SSL certificate installation on IIS Server

  1. Navigate to IIS Console  Default Website  Bindings.

    IIS new binding

    You can see a second entry added automatically for SSL connections.

  2. Open a browser and navigate to https://example.iiswebserver.com/

    The webpage opens with a lock icon on the address bar to confirm SSL is enabled for this website.

    IIS example website
  3. Click View Certificates to see the certificate chain.

    IIS certificate chain
  4. The website is protected using SSL/TLS certificate received from Sectigo ACME service.

  5. The certificates are stored at the following location.

    C:\ProgramData\win-acme\acme.demo.sectigo.com

Check Win-ACME auto-renewal task list

  1. Win-ACME will automatically add renewal script to the Windows Task Scheduler as soon as the first certificate is received.

  2. Open the Windows Task Scheduler and check for the win-acme job.

    Windows Task Scheduler
  3. The task is scheduled to run every day at 9:00 AM by default. You can configure as per your requirement.

For more information on certificate management and custom configuration, see Automatic renewal.

Enabling SSL on Nginx server (Linux) using Lego - manual enrollment

Enabling SSL on Nginx using Lego

Install Lego ACME client on Linux

  1. Log in to the server console using the account with elevated rights.

  2. Run the following commands to install the Lego client.

    systemadmin @example:~#:/etc/letsencrypt# cd /
    
    systemadmin @example:~#:/# cd /tmp
    
    systemadmin @example:~:sudo wget https://github.com/go-acme/lego/releases/download/v4.2.0/lego_v4.2.0_linux_amd64.tar.gz -qO- | tar -C /tmp -xz lego
  3. The following Lego client will be downloaded to the /tmp folder.

    lego_v4.2.0_linux_amd64.tar.gz
    100%[=========================================================================>]  8.67M  14.7MB/s  in 0.6s
    
    2021-03-04 22:59:13 (14.7MB/s) -
    `lego_v4.2.0_linux_amd64.tar.gz` saved [9093696/90903696]
  4. Execute the following steps to move the lego file from /tmp to /etc/lego folder (or folder of your choice).

    mkdir /etc/lego
    
    chmod 655 /etc/lego
    
    mv /tmp/lego /etc/lego/
  5. Navigate to etc/lego.

  6. Execute the lego command to view the syntax.

    systemadmin @example:~#:/etc/lego#./lego
    AME:
        lego - Let's Encrypt client written in Go
    
    USAGE:
        lego [global options] command [command options] [arguments...]
    
    VERSION: 4.2.0
    
    COMMANDS:
        run     Register an account, then create and install a certificate
        revoke  Revoke a certificate
        renew   Renew a certificate
        dnshelp Shows additional help for the '--dns' global option
        list    Display certificates and accounts information
        help, h Shows a list of commands or help for one command

Register Lego client with Sectigo ACME server using EAB values

Lego command syntax for single domain registration
./lego --server <ACME Server URL> --email <Email for Registration and Recovery Contact>com --accept-tos --domains <Validated and Delegated domain to ACME Account in SCM> --eab --kid <KeyID> --hmac <HMAC Value> --key-type <Signature ALgorithm and Keysize> --http run
Lego command syntax for multi-domain registration
./lego --server <ACME Server URL> --email <Email for Registration and Recovery Contact>com --accept-tos --domains <Validated and Delegated domain to ACME Account in SCM> --domains < Validated and Delegated domain to ACME Account in SCM> --domains < Validated and Delegated domain to ACME Account in SCM> --eab --kid <KeyID> --hmac <HMAC Value> --key-type <Signature Algorithm and Keysize> --http run
You can provide a multi-domain value, however, the first value is added to the Common Name of the certificate and all the other values including the first domain value will be added to the Subject Alternative Name extension of the certificate.
  1. Execute the following lego command to register and enroll for a DV certificate from Sectigo ACME server.

    systemadmin @example:~#:/etc/lego# ./lego --server https://acme-qa.secure.trust-provider.com/v2/DV --email [email protected] --accept-tos --domains example.nginxwebserver.com -domains --eab --kid Ybuc2RVWOlnHWWr1wOx6Lg --hmac eJCxrjmQXhw5q75Q_Gm-6ZkRT52bghTRZ9U3wEgbiQlGod0-fUAQZNRQ_mTL3GCIiC_gU3d8xo1NTkQjc8wdog --key-type rsa2048 --http run
  2. A certificate will be issued for the example.nginxwebserver.com domain.

    DV certificate example
  3. A new folder .lego will be created under /etc/lego with newly created certificates and account information.

    systemadmin @example:~#:/etc/lego# ls -al
    total 31220
    drwxrwxrwx      3 root          root            4096 Mar 4 23:09 .
    drwxr-xr-x    124 root          root            4096 Mar 4 23:09 ..
    drwx------      4 root          root            4096 Mar 4 23:21 .lego
    -rwxr-xr-x      1 systemadmin   systemadmin 31956992 Jan 24 11:48 lego
    [email protected]:/etc/lego#
  4. Navigate to /etc/lego/.lego to see the folder details and expand /certificates folder to view the list of certificates stored.

    List of certificates stored
  5. Certificates will be stored in PEM format. Private key will be saved as <domain_name>.key.

  6. You can use the certificates and private key to install them on any web server to enable SSL.

  7. You can use the following openssl command to check the certificate content.

    systemadmin @example:~#: openssl x509 -noout -text -in etc/lego/.lego/certificates/ example.nginxwebserver.com.crt
    Example certificate content

Enable SSL on Nginx server

  1. The following files are created as part of the certificate issuance:

    • example.nginxwebserver.com.crt: Full chain

    • example.nginxwebserver.com.issuer.crt: CA certificate(s)

    • example.nginxwebserver.com.key: Private key

  2. Open the /etc/nginx/sites-available/default file and add the numbered lines.

    systemadmin @example:~#:nano/etc/nginx/sites-available/default
    
    server {
    
    listen 80 default_server;
    listen [::]:80 default server;
    
    listen 443 ssl default_server; (1)
    listen [::]:443 ssl default_server; (2)
    
    ssl_certificate /etc/lego/.lego/certificates/example.nginxwebserver.com.crt; (3)
    ssl_certificate_key /etc/lego/.lego/certificates/example.nginxwwebserver.com.key; (4)
    
    root /var/www/html;
    index index.html index.htm index.ngin-debian.html;
    server_name _;
    access log /var/log/nginx/nginx.vhost.access.log;
    error_log /var/log/nginx/nginx.vhost.error.log;
        location / {
        try files $uri/ =404;
        }
    }
    1 Enable SSL on port 443
    2 Enable 443 on all IP addresses associated with the web server
    3 Associate the server certificate to the web server in this PATH
    4 Associate the server private key to the web server in this PATH
  3. Save and close this file.

  4. Execute the following command to restart the nginx service.

    systemctl restart nginx
  5. Open a browser and navigate to <your_domain> using the HTTPS protocol.

    https://example.nginxwebserver.com
  6. The domain should be enabled with locked padlock to show the website is SSL enabled.

Auto-renewal configuration for the certificate

You can create a cronjob with the following entry to enable auto-renewal of the certificate before expiration.

Update the content of the cron file as follows:

SHELL=/bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/urs/bin

0 */24 * * * root ./lego --server https://acme-qa.secure.trust-provider.com/v2/DV --email [email protected] lego --domains example.nginxwebserver.com --http --key-type rsa2048 renew
For more information on certificate management and custom configuration, see Lego.