What is ACME Protocol and How Does it Work?

Using X.509 digital certificates to authenticate is the most secure option for identity and role-based access management. Because certificates can’t be stolen or replicated, they provide assurance that you’re connected to the correct network and that the user and machine logging in are authorized to access the network. That’s why certificates are gaining popularity as an authentication method.

But for organizations that lack adequate infrastructure, certificate management often presents significant challenges. Organizations may struggle to deploy certificates because they have no central certificate inventory, haven’t automated certificate renewal, or lack visibility into the certificate life cycle. As a result, they may miss certificate expiration dates. 

An expired certificate can have major consequences, including:

• Security risks
• Outages leading to loss of productivity
• Potential security breaches
• Negative publicity
• Loss of customer trust
• Fines from regulatory bodies

Many organizations avoid these problems by using a certificate management automation solution based on the Automated Certificate Management Environment (ACME) protocol. In this article, we’ll answer the question “What is ACME?” We’ll describe how ACME works, and show how it enables better visibility and management of the certificate life cycle by eliminating manual management.

What Is ACME?

The ACME protocol enables systems to issue and renew certificates automatically, removing the need for human interaction in the process. You can implement the ACME protocol by installing an ACME certificate management agent for a web server. 

The ACME protocol allows you to eliminate almost all the manual work normally involved in managing digital certificates. As a result, you can avoid:

• Outages related to expired certificates
• Security risks incurred by unmonitored certificates
• Human error

History of the ACME Protocol

The ACME protocol was designed by the non-profit Internet Security Research Group (ISRG) for its open certificate authority (CA), Let’s Encrypt. This service issues 90-day domain-validated Secure Sockets Layer (SSL) certificates at no cost. 

Users can renew and replace these certificates automatically, without any involvement from website owners. Using the ACME protocol, website owners can run the CA of their choice as long as that CA supports the protocol. 

The ISRG published API version 1 of the ACME protocol in 2016. API version 2, published in 2018, added the ability to issue wildcard SSL/TLS certificates. The ACME protocol was published as an Internet standard (RFC 8555) in March 2019.

More recently, commercial support for the ACME protocol has increased. As a result, CAs, public key infrastructure (PKI) vendors, and browsers have started using ACME to support various types of certificates such as X.509.

How Does the ACME Protocol Work?

If you’ve ever installed an SSL/TLS certificate, you know it’s a tedious process that involves many manual steps. You must:

• Create a Certificate Signing Request (CSR). This means you’ll need to generate an ACME server-side request to copy and paste into a field for your CA.
• Run domain validation manually and wait for the certificate to get issued.
• Put the certificate on the server on which it will be installed.
• Install the certificate and check to confirm it is configured accurately.

This manual process requires considerable time and resources, and it’s prone to human error. The ACME protocol provides a far more streamlined approach. 

Automating Certificate Management With the ACME Protocol

ACME automates certificate management by installing an open-source agent and authorizing the agent to perform ACME certificate management activities at scheduled intervals. This automation makes the entire process more efficient and cost-effective. 

With ACME, you can organize and automate domain ownership verification, CSR generation, issuance, and installation of certificates. The ACME protocol allows you to provision SSL/TLS certificates for any server with an ACME agent installed, including non-Microsoft machines.

Domain Validation With ACME Server

The primary use of the ACME protocol is to generate domain-validated (DV) certificates. Because these certificates only need to validate that the domain exists, this process doesn’t require human interaction. When organizations implement the ACME protocol with additional support mechanisms, they can also generate high-value certificates such as extended validation (EV) and organization validation (OV).

ACME protocol sets up an HTTPS server to automate the issuance and life cycle management of trusted certificates and eliminate manual transactions. To use the protocol, you need an ACME client and an ACME server, which will communicate through a secure HTTPS connection using JSON messages.

Popular ACME Clients

In the relatively short time since the creation of the ACME protocol, several widely available clients have emerged that implement the protocol. As a result, you can easily plug certificate automation into various platforms and web servers. 

• For Linux and Unix-like systems, Certbot is a popular option. It supports Apache, NGINX, and many other stacks. 
• For Windows and IIS environments, win-acme and Certify The Web provide well-rounded ACME functionality and integrate into the Windows certificate store. 
• In containerized and cloud-native environments, you can use lightweight clients such as acme.sh and Lego to manage certificates at scale. You’ll also find built-in ACME support in reverse proxies such as Caddy and Traefik. 

If you’re designing an ACME deployment, look for a client that works well with your operating system and operational model. For some organizations, that means a minimalist client that simply obtains certificates, while other teams want a client that can automatically edit web server configurations. Keep in mind that because the ACME protocol is standardized in RFC 8555, you should be able to switch to another compatible client later as your needs change.

How To Set Up an ACME Client

To begin issuing, renewing, and revoking certificates automatically, you’ll first need to set up an ACME client (sometimes called an “agent”) on your web server:

1. Select a compatible agent and appoint the domain that you want it to manage.
2. Select a CA that the agent is compatible with.
3. The agent will communicate with the assigned CA to generate a pair of keys that will be used for the validation process.
4. To prove it has control over the domain it is managing, the agent will have to solve the DNS/HTTPS challenges the CA issues. The agent will either publish a web page that includes the token provided by the ACME server or publish a DNS record that includes the token.
5. To verify the endpoint’s access to the private key, CA will generate a random number called “nonce.” The agent will sign this number using the private key and send it back to the CA for verification. The CA will check if it has the correct hash to confirm that the agent is valid and has access to the private key.
6. Once the CA confirms the domain and private key ownership, the agent will be authorized to execute functions on the web server on behalf of the domain. For example, you can configure your agent to automatically check the CA at a defined interval to rotate certificates and keys. 

Once validation is complete, the client or agent will be established as the valid owner of the key pair that was created during the process. The key can now be used to digitally sign Certificate Signing Requests (CSRs) and send them to the CA through HTTPS requests. The CA can use the CSRs, in conjunction with its associated public key, to issue certificates and send them back to the client, after which the client can download and install the certificates and inform the assigned contacts.

You can install ACME clients on any server using X.509 certificates. From there, you can manage multiple domains on the same server or install on a domain-by-domain basis.

Using the ACME Protocol To Issue and Manage Certificates

Once you’ve set up and verified an ACME agent or client, you can automate your certificate operations. To issue a new certificate, the agent will generate a CSR for the domain that needs the certificate and send it to the CA via HTTPS. Here are the steps:

1. The agent generates a CSR for the domain.
2. The agent signs the public key generated with the CSR, using the corresponding private key.
3. The agent signs the whole CSR with its private key that was generated at the time of the initial configuration.
4. The CA issues the certificate to the domain after verifying both signatures.
5. The agent receives the certificate and installs it on the appropriate domain.

The process of renewal is similar to issuance. For renewal, you’ll have to configure the agent to ping the CA routine requests at pre-defined intervals. This allows it to rotate keys or switch to a new certificate as the admin prefers. The entire process is executed at the back end, eliminating the need for manual processing.

Revocation of Certificates With ACME Protocol

To revoke a certificate, the agent will need to sign a revocation request with its key so that the CA can verify the signature to confirm if it is a valid request. Once the CA revokes the certificate, it publishes the information to the relevant Certificate Revocation Lists (CRLs). Here’s the process:

1. The agent generates a revocation request for the SSL/TLS certificate.
2. The agent uses its private key to sign the revocation request.
3. The CA verifies the signature to confirm the validity of the request.
4. The CA revokes the requested certificate.
5. The certificate’s revocation status is published to the relevant CRLs.

An admin can initiate a revocation request. However, the revocation process after the request is placed is entirely automatic.

Key Aspects of ACME Certificates

If you use the ACME protocol, your certificates will adhere to the same standards as any other X.509 certificates. You’ll just avoid most of the work involved in issuing and managing them. ACME certificates (or “ACME certs”):

• Minimize the effects of cybercrime. In public web PKI deployments, you can configure DV TLS certificates for 90-day validity, which encourages rotation and reduces the impact of stolen keys. 
• Support wildcards. With ACME v2, you can secure many hostnames under a domain. 
• Conform to enterprise policies. ACME internal X.509 certificates for servers and devices can support internal security policies rather than just meeting browser requirements. As you use the automated challenge and issuance flows of the ACME protocol, you retain the freedom to configure key policies, SAN patterns, and lifetimes according to your standards. 
• Work well in busy, high-velocity environments. The ACME protocol standardizes the certificate revocation process, preventing human oversight from allowing extended access. ACME clients schedule renewals well in advance and help ensure continuous access for authorized devices and users while relieving administrators of a manual burden.

A Closer Look at the ACME Protocol Workflow

Here’s how an ACME workflow would look on the SecureW2 platform: 

1. As seen above, the device first obtains ACME payload (by MDM or manual .mobileconfig download).
2. MDM or unmanaged solutions decide to enroll the given device for client certificates.
3. MDM provides the device with a URL pointing to the SecureW2 PKI with a one-time token that identifies the given device along with the enrollment.
4. The device contacts SecureW2 ACME services.
5. Device request enrollment for “permanent-identifier” requests device attestation-based authentication.
6. The ACME service returns an attestation challenge to the device.
7. It also requests Secure-Enclave for private key storage and device attestation.
8. The device generates a key in Secure Enclave.
9. The device provides information to the Apple attestation server that allows for the creation of a key attestation.
   • Factors To Be verified in ACME Protocol
     • For MDM and BYOD:
       • Proof whether a private key is stored in Secure Enclave (for Apple devices)
       • Proof of the authenticity of devices trying to enroll from the Apple attestation server (for example, serial number and IP address)
       • Verify whether the device to issued certificate is not tampered with and the Secure Enclave is working properly.
     • For MDMs only:
       • Verify whether the respective MDMs manage the device.
       • Verify whether the enrollment attempt was initiated for the respective device. (Optional)
10. After receiving the proof and nonce, the ACME server contacts the policy engines of the given PKI server along with the Attestation Verification Server.
11. It verifies the serial number and attestation with the MDM again and confirms the enrollment attempt was valid before issuing the certificate.
12. The CA issues the certificate. 

What Is Apple’s Secure Enclave?

Apple’s Secure Enclave is a specialized security feature featured in iPhones, iPads, and Mac computers. It is intended to provide a high level of security for sensitive data while also ensuring secure device operations. It contains almost all the information related to a device’s serial number and provides cryptographic proof with the key that was given by Apple, which is exclusive and not extractable.

Secure Enclave is a small piece of dedicated hardware within your Apple iPhone that handles all security-related functions. It has its own CPU and memory, independent from the device’s primary processor. This separation is critical because it offers a safe and isolated environment in which sensitive data may be stored and processed without being easily accessible to other portions of the device or external threats.

One of Apple’s Secure Enclave’s basic functions is storing and managing encryption keys securely. Encryption keys function similarly to secret codes, scrambling and unscrambling data to ensure that only authorized individuals can access it. The Secure Enclave creates and stores these keys, ensuring their safety from unauthorized access.

What Is Device Attestation in Apple Devices?

Device Attestation in Apple devices is cryptographic proof of the validity of device attributes based on the Secure Enclave’s and Apple’s attestation servers’ security. These high-assurance IDs may be used to authenticate Wi-Fi, MDMs, VPNs, Kerberos, and other services.

Device attestation contains a cryptographically signed document or pseudo certificate that confirms a key was given to it by APPLE and has proof of that, such as a serial number and a newly generated key. The key that it is using for certificate enrollment is tied to the same Secure Enclave residing on the device.

ACME Protocol Use Cases

The ACME protocol provides a consistent, reliable automation layer on top of certificate management processes. Organizations are using ACME in the following scenarios: 

• Securing public websites. One of the main reasons HTTPS has caught on so quickly is that the ACME protocol supported it by automating the process of providing free DV certificates. Meanwhile, web and API providers are using ACME to manage certificates automatically across massive groups of servers, load balancers, and microservers. 
• Running private CAs. The ACME protocol helps organizations automate short-lived certificates for internal web apps, microservices, VPN gateways, and reverse proxies. Admins can use ACME to improve security, especially when it comes to revoking certificates in a timely manner. 
• Supporting cloud and Kubernetes ecosystems. One of the challenges of scaling applications horizontally or moving them between clusters is keeping their certificates valid. The ACME protocol gives network and security teams a hands-off way to obtain and rotate certificates for Ingress objects and service identities. 

Benefits of ACME Protocol

This protocol’s rapid increase in popularity is due to several benefits that make it a favorable choice. Here are some of the key benefits that the ACME protocol offers.

• Broader visibility of the entire certificate lifecycle. Because ACME clients are in constant contact with the CA to request, renew, or revoke certificates, they generate a detailed audit trail. You end up with a near real-time inventory of your active certificates, their associated domains, and their expiration dates. This centralized view reduces the risk of certificates ending up outside your standard processes.
• Standardization of certificates issuance and request. As we mentioned, the ACME protocol is defined by an open standard (RFC 8555) that ensures the same enrollment workflows will happen across different CAs and environments. Rather than relying on one-off custom integrations for each issuing system, you can treat ACME certificate management like an API-driven service. 
• A more efficient certification process. The hallmark of the ACME protocol is automation that reduces human touchpoints for each certificate. Fewer touchpoints means shorter lead times and fewer queue-based bottlenecks. With ACME, operations teams and developers no longer need to waste time on manual certificate requests and swaps. 
• Fewer configuration errors due to human interference. Misconfigured certificates have caused many high-profile network outages. ACME agents handle the most repetitive tasks within certificate management, dramatically reducing the chance that typos, missed steps, or forgotten restarts will bring down systems in production. Validate a configuration once, and the ACME protocol can apply it across thousands of endpoints.
• Quick CA and key migration for disaster management. Unexpected challenges may force you to change CAs, rotate signing keys, or respond to a compromise on short notice. With the ACME protocol, you can reissue certificates across your network without touching every server. Simply point your ACME clients at new endpoints or profiles, and they will retrieve fresh certificates.
• Cost savings. Manual certificate tracking, ticketing, and one-off installation work is expensive. ACME’s automated processes help you reduce the staff hours you must allot to routine certificate management tasks. You can also avoid license fees for many external TLS use cases by using public ACME CAs such as Let’s Encrypt.

Why Use ACME Protocol Instead of Other Approaches?

Of all the approaches to managing certificates, the ACME protocol offers a unique combination of openness, automation, and ecosystem support. Compare ACME to two other popular approaches:

• Manual workflows based on ticketing systems and ad-hoc scripts. This approach can work at small scale, but it tends to break down as an organization adds services, environments, and domains. By contrast, ACME-based workflows scale up seamlessly. 
• Proprietary enrollment APIs. These interfaces let you automate some certificate management processes, but they often lock you into a single CA or vendor-specific agent. By contrast, ACME gives you a standardized, CA-agnostic way to request, renew, and revoke certificates using well-defined HTTPS and JSON messages.​

For organizations that using DevOps and infrastructure as code, ACME aligns well with existing tooling. Teams can run ACME clients as part of configuration management, include it in container images, or integrate it into orchestration platforms to ensure certificate management follows the same automated, repeatable patterns as the rest of the infrastructure. 

ACME vs. SCEP

Simple Certificate Enrollment Protocol (SCEP) is an open-source certificate management protocol for automating certificate issuance. SCEP enables devices to enroll for certificates using a URL and a shared secret for communication with a PKI, thus automating the manual process of information exchange that admins normally have to perform. Mobile device management (MDM) software uses SCEP to push a payload containing the URL and shared secret for managed devices.

SCEP has been in use for much longer than ACME (it was originally developed by Verisign for Cisco as a lighter option to Certificate Management). It is similar to ACME in that it enables certificate enrollment and issuance. But ACME goes beyond SCEP’s capabilities by automating certificate management and handling revocation. 

Compared to older protocols such as SCEP, ACME was designed for modern web security and automation. ACME supports multiple challenge types, explicit error handling, and richer certificate profiles than SCEP. And because ACME now enjoys broad support across public CAs, browsers, web servers, and enterprise PKI platforms, you can use the same protocol for many different applications.

SecureW2 solutions enable you to use SCEP or ACME for Internet of Things (IoT) devices, BYOD, and managed devices. With the SecureW2 managed PKI, you can generate your own certificates and enroll all types of devices for certificates.

Running a Private CA and ACME Server

It’s possible to use the ACME protocol to automate the management of internal certificates as well as public web PKI. To do so: 

1. Run or subscribe to a CA that issues certificates anchored to an internal trust store.
2. Make an ACME-compatible endpoint available for enrollment. 
3. Let all your standard ACME clients request certificates from your private CA. 

The certificate requesting process will run just as it would with a public CA, but the certificates will only be trusted within your organization.

Of course, running your own ACME server will require planning around security, policy, and integration. You’ll need to decide which identities can request which types of certificates, how to satisfy challenges, and how to log issuance events for audit and compliance. By combining your internal ACME deployment with SecureW2 technology, you can create a powerful foundation for passwordless authentication. 

ACME Certificate Management and Authentication With SecureW2

When you automate certificate management with the ACME protocol, you can save time, reduce costs, and minimize human errors. Certificate issuance, renewal, and revocation become seamless, automated processes.

With SecureW2 solutions, you can go beyond just getting free ACME certificates and unleash the full benefits of the ACME protocol in the form of policy-driven, identity-aware automation. We back ACME with our cloud-hosted JoinNow Dynamic PKI and SecureW2 Cloud RADIUS, which are built for 802.1X, VPN, SSO, and workload auth.

Our solutions configure and auto-enroll managed devices for certificate-based authentication, with the ability to deploy certificates to any MDM via API Gateways. We also provide easy integration with MDM services such as Jamf, Intune, and Google Workspace. 

Find out how implementing ACME alongside SecureW2 solutions can give you the best possible ACME certificate management experience. Schedule your demo today.