This article describes the support for the protocol Automatic Certificate Management Environment (ACME) in Nexus Smart ID.
What is ACME?
The ACME protocol, as defined in RFC 8555, enables certificate automation for provisioning X.509 certificates, primarily to web servers but also to other services.
Many critical services and servers are already equipped with certificates proving their identity in a secure way, but lack the automation for example to renew certificates when the existing ones are expiring. Critical services often stop due to the fact that their certificate expire and manual processes are involved. The automation that comes with ACME enables universal encryption on the Internet.
The ACME protocol is supported by many standard clients available in most operating systems for automated issuing, renewal and revocation of certificates. For example, the certbot ACME client can be used to automate handling of TLS web-server certificates for common HTTP servers, such as Apache and Nginx. For more information, see ACME Client Implementations.
ACME is also readily available in many server applications and devices that need X.509 certificates, making it easier to automatically provision certificates. Many devices, such as servers, printers and NAS (Network-attached storage) devices, also come with support for ACME.
Common drivers to use ACME
Here are some common drivers for deploying ACME in a production environment:
- Full automation of key and certificate management
- Desire to get server-side monitoring and alerting
- More structured process for requesting certificates to edge devices or printers
- Streamlined interaction between requesters and administrators
- Aiming to use an arbitrary ACME client to interact with private or public trusted CAs
- Possibility to combine software as a service and on-premise installations
- Audit-friendly reporting to assure compliance, and enhance incident management
Nexus' ACME solution
Enabling ACME in our Smart ID offering helps our Enterprise customers to issue and manage certificate-based identities for their servers and devices automatically and instantly and with no human intervention at all.
Support for the ACME protocol in Nexus Certificate Manager is managed via Protocol Gateway. The ACME service in Protocol Gateway is used to automate the process of issuing X.509 (PKIX) certificates using the ACME protocol.
ACME support in Certificate Manager will come with version 8.1.
Do you want to know more?
ACME process in Protocol Gateway
The ACME process is made up of the following major steps:
- Create ACME account - The ACME client creates an account on the ACME server.
The ACME service in Protocol Gateway can be configured so that creating ACME accounts either:
- is allowed for all requesting clients
- requires a preregistration in Certificate Manager
- Create order - The ACME client requests a certificate by creating an order for certain domain names.
If ACME is configured to require preregistration, then the preregistration can also contain a list of allowed domain names per registration.
- Validate challenge - The ACME server verifies that the requested domain names are controlled by the ACME client, by validating a set of server-issued challenges.
- Issue certificate - The ACME service in Protocol Gateway uses Certificate Manager to issue a certificate, using a certificate signing request (CSR) provided by the ACME client.
Manage ACME accounts in Nexus PRIME
The credential management solution Nexus PRIME is planned to implement support for ACME accounts and lifecycle management of certificates from Certificate Manager or from third-party CAs, such as QuoVadis and D-Trust.
Certficates from all CAs will be published to PRIME, to have the complete and seamless lifecycle management in one central system.