Request certificate via ACME and Protocol Gateway in Certificate Manager
This article contains updates for Certificate Manager 8.6.1.
Nexus' ACME solution is based on Protocol Gateway:
Smart ID ACME solution
The ACME process is made up of the following major steps:
Create ACME account - The ACME client creates an account on the ACME server. In Certificate Manager, this is handled as registrations that are stored in the Certificate Manager database.
The ACME service in Protocol Gateway can be configured so that creating ACME accounts either:is allowed for all requesting ACME clients
orrequires a pre-registration in Certificate Manager
Create order - The ACME client requests a certificate by creating an order for certain domain names.
If the ACME service in Protocol Gateway is configured to require pre-registration, then the pre-registration can also contain a list of allowed domain names per registration.Validate challenge - The ACME server verifies that the requested domain names are controlled by the ACME client, by validating a set of server-issued challenges. For example, the client may need to prove that it can place a token at a pre-determined place at a web-server acting for the requested domain name, or that it can create a DNS record for the domain. The supported challenge validation methods are ‘http-01’ and ‘dns-01'. For dns-01, the domain name can contain wildcards.
Issue certificate - The ACME service in Protocol Gateway uses Certificate Manager to issue a certificate, using a certificate signing request (CSR) provided by the ACME client.
Certificates that have been issued by an authorized ACME account can be revoked via the ACME protocol, as long as certain requirements apply. For more information, see Requirements to revoke certificates issued by ACME account.