Skip to main content
banner image
venafi logo

Understanding Certificate Automation Protocols

Understanding Certificate Automation Protocols

understanding-certificate-automation
April 4, 2022 | Anastasios Arampatzis

Certificate automation has become an essential process for modern businesses, especially if you consider the exponential growth of machine identities each enterprise requires for IoT devices, cloud workloads, APIs, containers, applications and more. This is where Automated Certificate Management Environment (ACME) comes in handy.

You can read all about the key points of how ACME works in this blog. Here, I am going to discuss why you need ACME. But first, a quick refresher.

Are you facing a machine identity crisis? Venafi can help you out.
">
What is the ACME protocol?

ACME is a protocol for automating the certificate lifecycle management processes between Certificate Authorities (CAs) and a company’s PKI-supported systems—web servers, email systems and machines. The ACME protocol is free and provides a no-hassle way for IT teams to configure and execute their certificate management automation. Because of these benefits, ACME is increasingly adopted by enterprises of all sizes.

The Internet Security Research Group (ISRG) originally designed the ACME protocol for its own Let’s Encrypt certificate service. Today the protocol has become a standard (RFC 8555). ACME v2 is the current version of the protocol, published in March 2018. The previous version, ACME v1, was deprecated on June 1st, 2021. On September 15, 2021, the DNS records for acme-v01.api.letsencrypt.org were removed.

The ACME protocol automates the process for exchanging the information necessary for the CA to authenticate and issue certificates, and for the user to deploy the issued certificates. In addition, the protocol enables other certificate lifecycle management use cases like certificate revocation and renewal, using simple JSON-formatted messages over encrypted HTTPS communications.

Why use the ACME protocol?

While digital machine identities are the easiest and strongest method to authenticate machines and encrypt machine-to-machine communications, many organizations are still struggling with manually deploying and managing certificates. This entails risk: using spreadsheets or home-grown solutions to manually track certificates is dicey. More often than not, these organizations experience unexpected outages caused by expired or misconfigured machine identities.

Whether an enterprise deploys a single TLS/SSL certificate for a web server or manages millions of certificates across all distributed and connected devices, the manual process of certificate issuance, configuration, and deployment can take up to several hours. Manually managing certificates also puts enterprises at significant risk of certificates being forgotten and of blurred visibility and ownership, resulting in sudden outages or failure of critical business systems along with data breaches and Man-in-the-Middle attacks (MITM).

Despite the increasing use of modern, agile computing environments, many businesses continue to deploy, and manage certificates using techniques which are not adequate to meet the increased demands of today’s fast-paced environments. And that’s one of the advantages that the ACME protocol documentation highlights:

“Existing Web PKI certification authorities tend to use a set of ad hoc protocols for certificate issuance and identity verification. These ad hoc procedures are accomplished by getting the human user to follow interactive natural-language instructions from the CA rather than by machine-implemented published protocols. In many cases, the instructions are difficult to follow and cause significant frustration and confusion.”

With so many potential pitfalls inherent in managing PKI certificates manually, enterprises need to embrace automation. And standards like ACME can help ensure certificates are correctly configured without any human intervention. In general, automation not only helps reduce certificate management risks and challenges but also allows IT departments to control operational costs.

Why go with ACME instead of other certificate automation protocols?

ACME is not the only certificate automation protocol. Other automation standards include the Enrollment over Secure Transport (EST) and the Simple Certificate Enrollment Protocol (SCEP) as well as solutions associated with enterprise architectures like Microsoft Active Directory. Why is ACME more popular among enterprises than the other automation standards?

Security teams rely on ACME more and more to help them address their scale and complexity challenges as it offers:

  • An open standard with robust error handling, making it easy to adopt both by the enterprise and CAs
  • Industry best practices for TLS and PKI management for both IT teams tasked with implementing and managing valid PKI certificates and CAs that adhere to strict authentication procedures
  • Ongoing support by a community, not controlled by a single vendor or organization
  • CA agility with flexibility to add and support backup CAs
  • Low cost, being free to use
How can Venafi help?

Venafi Trust Platform can operate as an ACME server that supports automated certificate enrollment and installation with the added benefit of global visibility and machine identity intelligence. Developers can also use cert-manager with ACME in container environments. Jetstack, a Venafi company, created cert-manager and it has since become the leading open-source tool to automate the management and issuance of TLS certificates in Kubernetes and Open Shift environments. When developers create a new ACME Issuer, cert-manager will generate a private key which is used to identify them with the ACME server. If you want to learn more, contact our experts.

Related posts

Like this blog? We think you will love this.
 Bild eines verärgerten jungen Mannes, der mit dem Kopf in der Hand auf seinen Computerbildschirm starrt
Featured Blog

Erneuerung, Neuausstellung, Widerruf – so vereinfachen Sie das Zertifikatsmanagement

Nachfolgend finden Sie einige Informationen zu jedem dieser Verfahren.  

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more