How to activate Certum SSL certificate using ACME?
ACME is a protocol that allows the automation of issuing SSL certificates. It minimizes human involvement in the process, so required operations are performed using software installed on the server, which contacts the CA via API and performs the steps required to issue the certificate.
Supported certificate types
Using ACME it is possible to issue Commercial SSL certificates in Certum in the following variants:
- for a single domain or IP address
- multidomain
- wildcard.
The supported methods of verifying control over the domains are:
- dns-01 – for single domain, multidomain and wildcard certificates. Verification by placing a code provided by Certum in TXT record in the domain’s DNS. Example:
_acme-challenge.yourdomain.com 300 IN TXT "XXXXXXXX"
- http-01 – for single domain, multidomain and IP addresses certificates. Verification by placing a file with the name and content provided by Certum in a location on the www server. Example:
http://yourdomain.com/.well-known/acme-challenge/YYYYYYYY
with the following content:
YYYYYYYY.XXXXXXXX
Enabling ACME activation for the product
- Log in to the Customer account in the Certum system or log in straight to the Data security products panel https://certmanager.certum.pl
- For ordered, not activated certificate, go to its certificate details, choose the option to activate in ACME and accept it
- In case of using partner account, order new certificate choosing activation type: ACME activation. Option is available, when it is enabled on API account
- Provide the list of the domains which you declare to issue certificate for (only these domains will be allowed to be provided in certification request in ACME client)
- In case of Trusted SSL and Premium EV SSL, provide subscriber, organization and authorization data and wait for its positive verification. The documents required to complete this step are described here: https://support.certum.eu/en/the-verification-process-and-the-documents-required-after-purchasing-a-certum-ssl-certificate/
- As a result, you will receive credentials: kid and hmac (EAB), required to request certificate in ACME:
- kid (Key ID): ACME account identifier to access specific account in the request
- hmac: cryptographic key used to sign requests.
The returned data is ready for use in the ACME client. You may check the example instruction for activating the certificate using Certbot.
Certificate Discovery
How to use Certbot to issue Certum SSL ACME certificate?
