Accessibility

Reset to default

Language

Renew or activate signature

Electronic signature activation

How to activate NEW
Certum's electronic signature?

Activate a Signature

Electronic signature renewal

Renewal of Certum's e-signature
step by step

Renew a Signature

Electronic signature renewal process - detailed instruction

SSL Certificates

How to activate Certum SSL certificate using ACME?

ACME is a protocol that allows the automation of issuing SSL certificates. It minimizes human involvement in the process, so required operations are performed using software installed on the server, which contacts the CA via API and performs the steps necessary to issue the certificate.

 

Supported certificate types

Using ACME it is possible to issue Commercial SSL certificates in Certum in the following variants:

  • for a single domain or IP address
  • multi-domain
  • wildcard.

The supported methods of verifying control over the domains are:

  • dns-01 – for single domain, multi-domain and wildcard certificates. Verification by placing a TXT record in the domain’s DNS. Example:


_acme-challenge.yourdomain.com 300 IN TXT "hyKlXXXXXX"

  • http-01 – for single domain, multi-domain and IP addresses certificates. Verification by placing a file in a location on the www server. Example:


http://yourdomain.com/.well-known/acme-challenge/9w57XXXXXX

with the following content:

9w57XXXXXX._whfUXXXXXX

Prerequisites

Certum supports ACME version v2.

A number of ACME clients are available to support ACME. The sample instructions are presented using Certbot software as an example. The instructions are for illustrative purposes only and in order to support the step-by-step launch of a server-side implementation based on Certbot software for example, please use the dedicated instructions and support materials provided by the publisher of the given ACME client. Certbot software documentation is available at https://eff-certbot.readthedocs.io/en/stable/using.html.

To issue an SSL certificate, it is necessary to have an account in the Certum store with a purchased and not activated Commercial SSL product, where no data has yet been provided in any activation step.

 

Certbot software installation

 

Start the activation of the certificate in ACME

You can start the activation process of your certificate from My account in the Data security products tab. The process consists of several steps:

 

Enabling ACME activation for the product

  • Log in to the Customer account in the Certum system, go to the purchased certificate in the Data security products tab and open its details
  • From the certificate details, choose the activation option in ACME. Read the information provided and confirm your willingness to activate the certificate in ACME
  • As a result, you will receive credentials: kid and hmac, necessary to activate the certificate in ACME:
  • kid (Key ID): ACME account identifier to access specific account in the request
  • hmac: cryptographic key used to sign requests.

 

Certificate activation using Certbot

  • Start the registration of your ACME account in Certum using the command below. Fill in the kid and hmac values ​​according to the data received in the Certum certificate details:


certbot.exe register --server https://acme.certum.pl/directory/ --eab-kid z2r7_WC57nZWHvCbyjRV94y836hq19CWPLdU7naHaXXXXXXXXXXXXXXXXXX --eab-hmac-key ZjExMWNiNzQ1ZGI0NjE0MWU3ZjYwNDZjMzhhOGRiYjhmNjFlMjBjOGXXXXXXXXXXXXXXX

  • Provide the e-mail address of the Certum account with the purchased SSL product, for which the account will be created in ACME
  • Read and confirm the terms of use of Certum certificates
  • If necessary, answer additional questions regarding the processing of ACME account data by Certbot. The result should be confirmation of the account creation
  • Start the certificate request and choose the method of verifying that you have control over the domains for which you want to issue a certificate using the command:

    certbot.exe certonly --manual --key-type rsa --server https://acme.certum.pl/directory/ --preferred-challenges dns-01

    where by switching the parameters, you can choose:

    • the option of issuing the certificate only, without installing it on the server using the certonly switch
    • the key type using the –key-type switch, set to rsa or ecdsa
    • manual domain verification using the –manual switch. Automatic domain verification requires an add-on configured on the domain server
    • domain verification method (challenge type): dns-01 or http-01
  • Provide the domains to be included in the certificate. Certbot does not support entering IP addresses. In the case of more than one domain, separate them with a space:


yourdomain.com www.yourdomain.com

  • Choose the option of automatic verification of control over domains or manually verify possession of the control over the domains, according to the instructions displayed. Place a record in the domain DNS or a file on the server and confirm readiness for verification in the console. Wait for the verification and issuance of the certificate
  • Download the certificate and private key from the location indicated by Certbot. For certonly option, install it on your server and start using it.

 

Troubleshooting

In the case of failure to issue a certificate despite positive verification of the control over the domain, check the blocks and high-risk detection performed by Certum.

Related articles

    Was this helpful?

    How can we improve it?

    The instructions did not lead me to solve the problemThe article is written in a difficult language for meOther

    What others?

    Didn’t find the answer to your question?

    contact1

    Ask our consultant

    Get advice from our consultants

    Contact us