Sectigo ACME service architecture overview

Sectigo ACME service diagram

ACME clients communicate with Sectigo ACME servers to request and manage certificates through ACME enrollment endpoints. ACME enrollment endpoints are HTTPS based URL where ACME server listens for the request from ACME client with supported parameters. The client sends a request for certificate management actions using a set of JavaScript Object Notation (JSON) messages carried over HTTPS.

Certificate management using ACME is similar to any other protocols like PKIX-CMP or SCEP where a user account is created on the CA side, user requests a certificate using the shared secrets (or authorization codes), proves proof of possession of private key and additionally domain validation for DV certificates in order for the CA to issue the requested certificate.

Sectigo ACME enrollment endpoints: Sectigo serves certificates to the customer through the following categories of ACME endpoints within public ACME and private ACME:

Public ACME: Connects to the public ACME service that is connected to the public CA to enroll and manage SSL certificates.

Private ACME: Connects to the private ACME service that is connected to a private CA and uses private trust level certificate profiles for enrolling and managing SSL certificates.

The endpoints available depend on the features that have been enabled for your account.

Automated certificate management with the Sectigo ACME Service

There are four major steps involved in the automatic certificate enrollment through Sectigo ACME services:

  1. ACME account creation (Pre-registration on SCM is required)

  2. Domain validation and delegation

    • Domain validation is not required for private ACME (connecting to private CA)

    • Domain validation for public ACME (connecting to public CA) has two cases:

      • Domain validated in SCM—​no challenges are issued via ACME.

      • Domain not validated in SCM—​ACME will issue challenges to validate the requested domains.

  3. ACME client registration using External Account Binding Identifier (keyID) and authorization code (HMAC value)

  4. Certificate Signing Request (CSR) submission and certificate issuance

These are required to be completed for successful enrollment with Sectigo ACME server(s) for server certificate(s).

Deployment model explained (with domain validation in SCM)

  • Customer creates an account on the ACME server through SCM to bind the SCM account with ACME account.

  • This would create External Account Binding (authorization code) values for the ACME account for a specific endpoint.

  • System administrators then send this EAB values (KeyID and HMAC Key) along with other certificate related information to a specific enrollment point (ACME server) through ACME clients.

  • ACME server checks the EAB values, links the accounts and then deletes the EAB on the server side so that it cannot be reused on a different server.

  • This would restrict the usage of same EAB keys on different servers with different account.

  • All future ACME requests, such as enrolling or renewing certificates, are done using the registered auth key pair from the web server.

Prerequisites

  • Operating system and supported web server(s) were installed and configured as per your organization policy

  • Organization registered with Sectigo and SCM account created for administrator access

  • The latest version of the EAB supported ACME clients

The folllowing table presents the minimum software requirements.

OS Minimum Software Requirements

Microsoft Windows

Web servers:

  • Apache (manual enrollment using Certbot)

  • IIS (auto-enrollment using Win-ACME plugin)

ACME clients:

Debian 10 (Linux)

Web servers:

  • Apache (auto-enrollment using Certbot)

  • Nginx (auto-enrollment using Lego)

ACME clients:

  • Certbot

  • Lego