How to use Certbot to issue Certum SSL ACME certificate?

Certum supports ACME version v2 and based on RFC 8555.

There are many third party ACME clients that support ACME, and Certum does not recommend any of them in particular. Certum also does not offer own ACME client. The sample instructions are presented using Certbot software as an example. The instructions are for illustrative purposes only and in order to support the step-by-step launch of a server-side implementation based on Certbot software for example, please use the dedicated instructions and support materials provided by the publisher of the given ACME client.

Certbot software installation

• Download and install the ACME client on the server, e.g. Certbot, using the official instructions: https://certbot.eff.org/

Note: Certbot is not a Certum product. To run and configure the ACME client on the server, follow the user guide and technical support recommendations from the publisher of the ACME client. For Certbot the guide is available at: https://eff-certbot.readthedocs.io/en/stable/using.html.

To get help with installing and configuring any other ACME client, visit its publisher’s website and follow the instructions provided there.

Certificate activation using Certbot

• Start the registration of ACME account in Certum using the command below. Fill in the kid and hmac values ​​according to the data received in the Certum certificate details:
  certbot register --server https://acme.certum.pl/directory --eab-kid z2r7_WC57nZWHvCbyjRV94y836hq19CWPLdU7naHaXXXXXXXXXXXXXXXXXX --eab-hmac-key ZjExMWNiNzQ1ZGI0NjE0MWU3ZjYwNDZjMzhhOGRiYjhmNjFlMjBjOGXXXXXXXXXXXXXXX
  If you do not have the ACME credentials: kid and hmac (EAB), check the instruction of how to activate SSL product using ACME.
• Provide the e-mail address of the Certum account with ordered SSL product, for which the ACME account will be created
• Read and confirm the terms of use of Certum certificates
• If necessary, answer additional questions regarding the processing of ACME account data by Certbot. The result should be a confirmation of the account registration
• Start the certificate request and choose the method of verifying the control over the domains for which you want to issue a certificate using the command:
  certbot certonly --manual --key-type rsa --server https://acme.certum.pl/directory --preferred-challenges dns-01

where by switching the parameters, you can choose:

• the option of issuing the certificate only, without installing it on the server using the certonly switch
• the key type using the –key-type switch, set to rsa or ecdsa
• manual domain verification using the –manual switch (can be combined with –manual-auth-hook to automate manual action). Automatic domain verification requires an add-on configured on the domain server
• domain verification method (challenge type): dns-01 or http-01
• Provide the domains to be included in the certificate. In the case of more than one domain, separate them with a space:

  yourdomain.com www.yourdomain.com

• Choose the option of automatic verification of control over domains or manually verify it, according to the instructions displayed. Place a record in the domain DNS or a file on the server and confirm readiness for verification in the console. Wait for the verification and issuance of the certificate. By default, the certificate will be issued for the validity allowed by the industry, which for SSL since 2026-03-13 is a maximum of 199 days
• Download the certificate and private key from the location indicated by Certbot. For certonly option, install it on your server and start using it. Automatic certificate installation is available by using –installer switch
• If you need to issue this certificate again, perform the certificate request from step e. If verification of the control over the domain has expired, it may be required to verify it again.
• If you want to issue this certificate with new domains, perform the certificate request from step e. If you declared domains when enabling ACME for the product, you can only add domains declared there to the certificate. Added domains and expired domain verifications may require to verify them again.

Note: By default, the certificate will be issued for the validity allowed by the industry, which for SSL since 2026-03-13 is a maximum of 199 days, and also will be no longer than the validity of the ordered product.

Note: When the certificate is nearing its expiration date, using the renew option will issue a certificate for the next validity period within the validity period of the ordered product.

• If the previously issued certificate already has valid to date equal to the product validity date, the certificate will be issued with the same valid to date as the previous certificate
• If verification of the control over the domain has expired, it may be required to verify it again.
• To issue next certificate within the new validity period of the product, you must order a new product, obtain new ACME credentials for it, and follow the process from step. a.

Note: Certum limits the number of requests to each ACME operation to ensure performance and stability of the system. Limit is calculated per ACME product order for ACME account registrations and certificate requests. Additionally, the rest of operations is limited per IP address.

Receiving an HTTP 429 code in the ACME client response indicates that the limit has been exceeded. The response contains a Retry-After message with the number of seconds after which the request can be resubmitted.

Troubleshooting

In the case of failure to issue a certificate despite positive verification of the control over the domain, check the blocks and high-risk detection performed by Certum.