What is the ACME Protocol?
The Automatic Certificate Management Environment (or ACME for short) Protocol is used to enable the automatic enrolment of certificates for webservers. It allows a client to request certificates using signed JSON messages sent over HTTPS. The ACME server will verify that the client owns the requested domains by using either a HTTP or DNS based challenge.
Several free and open-source ACME clients exist. The most popular of which, Certbot, can be configured to automatically install and renew certificates for Apache, Nginx, and other webservers.
The next generation of Certificate Automation
Agent for Deployment
An agent is available for deployment on the customer networks (Linux or Windows.
Within the Customer environment or the Jellyfish aaS environment
The ACME service meets all security and operational requirements of RFC 8555 to ensure the service is secure
Functionality of ACME+
ACME+ is a Cogito Group extension to the ACME protocol which allows issuance of different types of Certificates, whereas the standard protocol is limited to certificates for webservers.
When operating in ACME+ mode, the server can be configured to use other forms of trust and validation rather than relying on a certificate’s identifiers that must be based on a DNS name in the event one is not available. This mode is intended to allow for the automated issuance of certificates using convenient and familiar tools.
ACME+ enrolment process ensures the integrity of the solution
The enrolment process will ensure the integrity of the solution
Only an entity that controls and identifier can get an authorisation for that identifier
Once authorised an accounts key’s authorisations cannot be improperly used by another account.
Jellyfish ACME+ Integrations
ACME+ Design Overview
- The ACME protocol is used to enable the automatic certificates for webservers
- Primarily used by LetsEncrypt to enable domain validation (DV) and certificate enrolment/renewal for publicly facing websites
- Design covers ACME+ support within Jellyfish
- Provides the ability to proxy the ACME protocol for any CA supported
- ACME+ in Jellyfish enhances functionality
High level design
As illustrated in the diagram above, the high level design outlines:
- The ACME endpoints listed in the RFC8555 standard are implemented in Jellyfish in ACME+.
- They provide endpoints accessible through the PKI microservice for the purposes of ACME
- These are forwarded onto:
- the database (for storing the account ID’s of the ACME clients) or
- the CA microservice (for obtaining the certificates from the CSR).
- Once an ACME client has been registered, it’s account ID will be stored in the Database
- It will be able to request certificates for the server until the configured expiry time for the server is up.
- The ACME client’s registered domain and the machine it is representing is monitorable within Jellyfish through the menu
Check out our related content below: