What is the ACME Protocol and How it Works?

Related Post

Before discussing in detail how the ACME protocol affects the SSL certificate validity system, the SSL Indonesia team will first discuss what ACME is, how ACME works, and how ACME affects the validity of SSL certificates. ACME (Automated Certificate Management Environment) is a free SSL certificate management that works with the Certificate Authority (CA).

Initially, ACME was developed by an internet security research group for a public CA, namely Let's Encrypt. ACME is what facilitates all Let's Encrypt business models and systems that allow for issuing validated SSL certificates on domains for 90 days and can be extended with an initial process or replaced with a paid SSL certificate.

In March 2019, the ACME protocol was finally published and designated as an internet standard (RFC 8555) and commercial CAs began supporting this protocol. One of the CAs that supports it is Sectigo, which is currently testing its support for the ACME protocol before being published.

Read: Causes and How to Resolve "Error 429: Too Many Requests"

What is ACME Protocol?

What is ACME Protocol?

The Automated Certificate Management Environment (ACME) protocol is a standard way to automate the process of obtaining and renewing SSL/TLS certificates. It allows web servers to prove domain ownership and receive certificates without manual intervention. 

ACME automates the issuance and renewal of certificates, improves website security, reduces human error in certificate management, and is widely supported by certificate authorities and web servers.

The ACME protocol, an open standard designed to automate the process of issuing and renewing digital certificates, has revolutionized certificate management. Developed to simplify the entire process, ACME has been widely adopted by many Certificate Authorities (CAs) and has become an internet standard (RFC 8555).

Before ACME, obtaining and managing SSL/TLS certificates was often a time-consuming manual process. Website administrators must:

• Create a Certificate Signing Request (CSR)
• Prove domain ownership through various methods
• Submit the CSR to the Certificate Authority
• Wait for certificate approval and issuance
• Manually install the certificate on their web server
• Remember to renew the certificate before it expires

This process is prone to human error and often results in expired certificates, resulting in security warnings for website visitors.

ACME automates this entire process by establishing a standard protocol for communication between a web server and a Certificate Authority. The web server (ACME client) sends a request to a CA (ACME server) to obtain a certificate for a specific domain. 

The CA then challenges the client to prove ownership of the domain, usually by placing a specific file on the web server. Once the CA verifies the completion of the challenge, it issues a certificate to the client, who automatically installs it. This process can be completely automated, allowing for easy initial setup and seamless renewal.

How does ACME protocol work?

The ACME protocol works by installing a certificate management agent on a given web server. The organization or domain will undergo initial validation, where the management agent assists with the domain control verification aspect, once completed the agent can request, renew and revoke the certificates used.

The way it works is very unique, where the agent has a key pair and shares it with the CA at the beginning of the validation process. Once validation is complete and the agent is verified as the owner of the proven key pair, it can use its key to digitally sign the CSR it generates and send it to the CA via an HTTPS request.

The CA will use the CSR along with its associated public key to issue a certificate and send it back to the agent. The agent will download, install and then notify the designated contact. The agent can be automated to check in with the CA at given intervals to rotate certificates and keys. The agent can be installed on any server that uses X.509 certificates and can handle multiple domains on the same server or the agent can be installed on a per domain basis. 

1. Issuance/Renewal

Issuance or renewal to obtain a digital certificate issued, the agent only needs to generate a CSR for the desired domain and send it to the CA. First, the agent will generate a CSR for the domain, this CSR will be obtained from the server used. 

This is the reason why the agent must be installed first on the server. After the CSR issuance, the Agent will sign the public key generated together with the CSR with the appropriate private key. Then the agent will sign all CSRs with its own private key.

The image above is a form of cooperation between the agent and the CA that can issue free SSL certificates. The process is also the same when making an update, the agent can be configured to ping the CA periodically either to issue a certificate or to replace all digital certificates used.

2. Revocation

The revocation or revocation process is the same as the process of obtaining an issued certificate. If you want to revoke a certificate, the agent must sign a private key request, the CA will verify the signature, revoke the certificate and then publish the information to the Certificate Revocations Lists (CRLs) and Online Certificate Status Protocol responders (OCSPs) as needed. This is a mechanism used by browsers to check the validity of the SSL certificate used.

What are the benefits of ACME?

The ACME protocol offers many benefits to website owners and administrators:

• Automation: Significantly reduces manual intervention in certificate management.
• Enhanced Security: Automatic and regular updates ensure certificates are always up to date.
• Cost-effectiveness: Many ACME-compatible CAs offer free or low-cost certificates.
• Reduced Errors: Automation minimizes the risk of human error in the certificate process.
• Scalability: Allows easy management of certificates for multiple domains or subdomains.
• Standardization: As an open standard, ACME promotes interoperability between systems.

How to setup ACME?

To get started with ACME for your website, follow these steps:

• Choose an ACME Client: Choose a client that is actively maintained, well-documented, supports your operating system and web server, and offers the features you need (e.g., wildcard certificates, multiple domain support).
• Install the ACME Client: The installation process varies depending on the client and system you choose. You can use a package manager, download the client directly from the developer’s website, or clone the repository and build the client from source. Always refer to the official documentation of your chosen ACME client for specific installation instructions.
• Configure the Client: Set up your ACME client with your preferred domain details and settings. This typically involves specifying the domain you want to secure, the web server you are using (e.g., Apache, Nginx), and where your certificate is stored.
• Request a Certificate: Run your ACME client to begin the certificate request process. The client will create a certificate signing request, prove ownership of the domain to the CA, and receive and install the certificate.
• Configure Your Web Server: While most ACME clients will automatically configure your web server to use the new certificate, you may need to make some manual adjustments depending on your setup. For Apache, make sure your virtual host configuration includes the path to your new certificate file. For Nginx, update your server block with the path to your new certificate and key files.
• Set Up Auto-Renewal: ACME certificates typically have a short validity period (often 90 days) to encourage frequent updates and improve security. Set up auto-renewal to ensure your certificate stays current. Most ACME clients offer a built-in renewal mechanism, and you can usually set up a cron job or scheduled task to run the renewal process regularly.

How Does ACME Affect SSL Certificate Validity?

The ACME protocol is basically a simple security system. This security process only relies on agents as a medium used to activate SSL certificates on websites. This protocol has become the standard security used on websites.

Then is this valid and can it be said to be secure for use on websites? No! Free SSL like this is highly not recommended by the Indonesian SSL Team even though it has been recognized by Google.

However, you need to understand that the ACME protocol can also be used to issue SSL certificates with high authentication on business websites. This is related to the working relationship between the CA authority provider and the certificate provider, for example sectigo. Sectigo will be given an account by the CA and invest in the CA used. The protocol used is still the same, there are only a few different things, which occur independently without using an agent on ACME.

Advanced ACME Features

ACME supports issuing wildcard certificates, which secure a domain and all of its subdomains. To request a wildcard certificate, you typically need to use a DNS challenge to validate the domain. Additionally, ACME provides a standard way to revoke a certificate if it is compromised or no longer needed.

Common ACME Troubleshooting

When implementing ACME, you may encounter several common issues:

• Rate Limiting: Be aware of the rate limits that most ACME CAs impose to prevent abuse.
• Connectivity Issues: Make sure your server can communicate with the ACME CA server; check your firewall rules if you are having connection issues.
• Domain Validation Failures: A misconfigured web server can prevent successful domain validation, so make sure your server is serving challenge responses correctly.
• DNS Challenges: For DNS-based challenges, make sure your DNS records are set up and propagated correctly.
• Permissions Errors: ACME clients often require elevated permissions to write certificates and configure web servers; use the appropriate privilege elevation when necessary.

Read: What is the HTTP/2 Protocol & How do they Affect Web Performance?

Conclusion

The ACME protocol has revolutionized SSL/TLS certificate management, making it easier to secure websites and maintain valid certificates. By automating the certificate lifecycle, ACME helps improve internet security, reduce administrative burdens, and ensure a smoother experience for website operators and visitors.

When implementing ACME for your own website, remember to:

• Choose a reliable ACME client that is compatible with your environment
• Monitor your certificate status and renewal process regularly
• Keep your ACME client software and web server up to date
• Follow security best practices for storing and managing your certificates

With ACME, maintaining HTTPS for your website becomes a seamless, automated process, allowing you to focus on other aspects of your web presence while ensuring user connections remain secure...