ACME+ Facts
What is the ACME Protocol?
![2024_ACME_protocol](https://cogitogroup.net/wp-content/uploads/2024/01/2024_ACME_protocol.png)
The Automatic Certificate Management Environment (or ACME for short) Protocol is used to enable the automatic enrolment of certificates for webservers. It allows a client to request certificates using signed JSON messages sent over HTTPS. The ACME server will verify that the client owns the requested domains by using either a HTTP or DNS based challenge.
Several free and open-source ACME clients exist. The most popular of which, Certbot, can be configured to automatically install and renew certificates for Apache, Nginx, and other webservers.
ACME+
The next generation of Certificate Automation
![AgentforDeploymentIcon](https://cogitogroup.net/wp-content/uploads/2024/01/AgentforDeploymentIcon.png)
Agent for Deployment
An agent is available for deployment on the customer networks (Linux or Windows.
![Deploymnt](https://cogitogroup.net/wp-content/uploads/2024/01/Deploymnt.png)
Deployment
Within the Customer environment or the Jellyfish aaS environment
![RFC8555](https://cogitogroup.net/wp-content/uploads/2024/01/RFC8555.png)
RFC 8555
The ACME service meets all security and operational requirements of RFC 8555 to ensure the service is secure
Functionality of ACME+
ACME+ is a Cogito Group extension to the ACME protocol which allows issuance of different types of Certificates, whereas the standard protocol is limited to certificates for webservers.
When operating in ACME+ mode, the server can be configured to use other forms of trust and validation rather than relying on a certificate’s identifiers that must be based on a DNS name in the event one is not available. This mode is intended to allow for the automated issuance of certificates using convenient and familiar tools.
![ACME functionality enhancements_final](https://cogitogroup.net/wp-content/uploads/2024/01/ACME-functionality-enhancements_final.png)
Integrity
ACME+ enrolment process ensures the integrity of the solution
![identifier](https://cogitogroup.net/wp-content/uploads/2024/01/identifier.png)
Integrity
The enrolment process will ensure the integrity of the solution
![identifier](https://cogitogroup.net/wp-content/uploads/2024/01/identifier.png)
Identifier
Only an entity that controls and identifier can get an authorisation for that identifier
![authorisation](https://cogitogroup.net/wp-content/uploads/2024/01/authorisation.png)
Authorisation
Once authorised an accounts key’s authorisations cannot be improperly used by another account.
Jellyfish ACME+ Integrations
![ACME integrations](https://cogitogroup.net/wp-content/uploads/2024/01/ACME-integrations.png)
ACME+ Design Overview
- The ACME protocol is used to enable the automatic certificates for webservers
- Primarily used by LetsEncrypt to enable domain validation (DV) and certificate enrolment/renewal for publicly facing websites
- Design covers ACME+ support within Jellyfish
- Provides the ability to proxy the ACME protocol for any CA supported
- ACME+ in Jellyfish enhances functionality
High level design
As illustrated in the diagram above, the high level design outlines:
- The ACME endpoints listed in the RFC8555 standard are implemented in Jellyfish in ACME+.
- They provide endpoints accessible through the PKI microservice for the purposes of ACME
- These are forwarded onto:
- the database (for storing the account ID’s of the ACME clients) or
- the CA microservice (for obtaining the certificates from the CSR).
- Once an ACME client has been registered, it’s account ID will be stored in the Database
- It will be able to request certificates for the server until the configured expiry time for the server is up.
- The ACME client’s registered domain and the machine it is representing is monitorable within Jellyfish through the menu
Related Articles
Check out our related content below: