In today’s world, security is a top priority for every business, so companies spend a lot of money securing their assets and data. A critical security aspect is securing data exchange and communication using SSL/TLS certificates. Every organization has an internal and customer service infrastructure using hundreds of SSL certificates. These certificates are obtained from a trusted certification authority (CA) for 1-3 years and then renewed.

So what’s the problem here?

The problem is the cost of obtaining and managing these SSL certificates, including the time IT teams spend.

How can we solve or at least reduce this problem without compromising security? The answer is: “Automate certificate management and use free certificates for internal infrastructure.”

So here we will talk about a protocol called ACME (Automatic Certificate Management Environment), which solves our problem.

Let’s see how it is possible!!

Introduction

• ACME is an open protocol that enables the automatic generation of SSL certificates with minimal client-side effort and requires only domain verification.
• Certificate authorities (CA) use ACME to provide free certificates.
• Website hosting providers offering their customers free SSL certificates use this protocol to provide SSL certificates.
• Additionally, certificate authorities leverage ACME to provide free certificates.
• This automation streamlines the process of obtaining SSL/TLS certificates and communication between the certification body and the applicant.
• ACME also significantly reduces the complexity of certificate issuance, renewal, and revocation – a valuable feature when managing certificates for multiple domains.
• ACME is primarily used to obtain domain validated (DV) certificates.
• DV certificates do not require advanced verification; Only the existence of the domain is validated, which does not require human intervention.
• The DV certificates are the most commonly used certificates by non-financial and e-commerce websites.
• ACME supports the generation of wildcard certificates.

Quick Terms:

Certificate authority (CA)

• A trusted public key infrastructure (PKI) certificate issuer.
• The CA that provides the ACME-based certificates enables any ACME-compatible client software to interact with it and request new certificates.
• Organizations can set up their own internal ACME CA for in-house use.
  
  Two central certificate authorities that offer free certificates via the ACME protocol are:
  1. Let’s Encrypt offers free 90-day certificates, including wildcard options, with unlimited renewals. Users can request higher limits if needed. The organization boasts a highly active and supportive community.
  2. ZeroSSL offers free 90-day certificates, including wildcard options, with unlimited renewals. However, it needs more active community support, and its limits are hard-coded.

ACME server is ACME software running in CA infrastructure to automatically provide and renew new certificates customers request.

ACME client

1. A software that communicates with an ACME-enabled Certificate Authority (CA), such as Let’s Encrypt and ZeroSSL.
2. These clients come in two main types: standalone tools for end-users to manage certificates and integrated features within other services, like web hosting platforms.
   
   Two major ACME clients that provide a rich set of features are:
   1. Certbot – The official ACME client endorsed by Let’s Encrypt. This Python-based command-line tool offers built-in support for Apache and Nginx web servers. Users can access support through Let’s Encrypt’s vibrant community forum.
   2. acme.sh – This client is written in a shell script; hence, you have complete visibility and control of the client code. As the bare minimum, it supports issuing a new certificate and automatically renewing it with a cron job.
3. You can choose between these ACME clients. Consider your specific needs, interest and technical expertise when deciding the most convenient.

How ACME Works?

There are four steps to generate a certificate, but three steps are seamless and performed by the ACME client, so technically, you only have ONE step to perform.

1. Account Creation:
   1. The first step is creating an email-based account with certificate authority, which the client uses throughout the ACME tasks.
   2. Account creation is a one-time task performed by the ACME client.
   3. It involves generating an account key pair and sending an account creation request to the ACME server.
   4. The ACME server returns an account URL the client uses for future interactions.
   5. The URL is the unique URL for each customer.
   6. The account key is used for user authentication and signing request data only.
2. Certificate Request:
   1. The client generates a Certificate Signing Request (CSR) that contains information about the requested domain(s).
   2. This CSR is passed to the ACME server as part of a certificate order.
   3. The client performs this step and needs no action from the user side.
3. Domain Validation:- To prove ownership of the domain(s), the client must complete one or more challenges provided by the ACME server. The most common types of challenges are:
   1. HTTP-01
      1. Process: This is the most common challenge type and is repeated for renewal.
         1. The ACME server provides a token to the client.
         2. The client puts this token to the file .well-known/acme-challenge/<TOKEN> of your website root, including a thumbprint of your account key.
         3. The ACME server initializes the challenge after the client tells the ACME server that the file is ready.
         4. The ACME server (CA) verifies this by making an HTTP request to the URL http://<domain>/.well-known/acme-challenge/<TOKEN>.
      2. If it finds a match, it can proceed to issue a certificate.
      3. Pros:
         1. Easy to manage.
         2. This challenge works with CNAME records as well.
      4. Cons:
         1. To work this, port 80 must be open on your server.
         2. The ACME server should be able to reach the URL.
         3. This challenge does not work for wildcard certificates.
   2. DNS-01:
      1. Process: DNS validation allows verification of certificate issuance requests using DNS records rather than serving content over HTTP.
         1. The ACME server provides a token to the client.
         2. The client creates a TXT record in domain DNS with this token and the account key for _acme-challenge.<YOUR_DOMAIN>.
         3. Wait for 30 seconds to let the DNS propagate.
         4. The ACME server initializes the challenge after the client tells the ACME server that the DNS record is ready.
         5. The ACME server (CA) verifies this by querying the DNS TXT record.
         6. If it finds a match, it can proceed to issue a certificate.
      2. Pros:
         1. The certificates can be issued simultaneously to a cluster of web servers running behind a load balancer or to a system that is not directly accessible from the internet.
         2. Wildcard certificates are also supported using DNS validation.
      3. Cons:
         1. Automation only works if your domain provider supports an API that you can use to automate updates. However, this method is widely supported by DNS providers such as AWS, Cloudflare, DigitalOcean, Google, Linode, and OVH.
         2. Managing API credentials on a web server is risky. You can reduce this risk by performing DNS validation from a separate server and copying the certificates to the actual web server.
4. Certificate Issuance: Once domain validation is successful
   1. Process:
      1. The ACME server issues the SSL/TLS certificate.
      2. The client downloads the certificate.
5. Certificate Use: Clients provide multiple options:
   1. Manual
      1. The client downloads the certificate to a directory.
      2. Here it is the responsibility of the web server administrator:
         1. Copy it to the web server folder.
         2. Configure the web server to use the certificate.
         3. Reload the web server.
   2. Automate: For this to work, the client requests to provide the web servers it supports. For example, most standard clients support Nginx, Apache, and HAProxy.
      1. The client downloads the certificate to a directory.
      2. The client configures the mentioned web server with a certificate.
      3. The client reloads the web server.

ACME Versions

1. ACME v1 was simple but had limited scalability and features.
2. ACME v2 was introduced in 2018.
3. ACME v2 is based on the IETF.4 RFC 8555 standard.
4. ACME v2 provides improved scalability, support for wildcard certificates, and more robust challenge mechanisms.
5. ACME v2 is now the standard used by most certificate authorities, including Let’s Encrypt and ZeroSSL.

Security Considerations in ACME

1. Challenge Types: – Each challenge type has security implications:
   1. HTTP-01 is straightforward but depends on secure web server control.
   2. DNS-01 is more secure but requires access to DNS management.
2. Account Keys:
   1. The security of the account key is critical because it is used to sign all interactions with the certificate authority.
   2. If the account key is compromised, an attacker could potentially request or revoke certificates on behalf of the legitimate domain owner.
3. Certificate Transparency (CT):
   1. Certificates issued through ACME are typically logged in public certificate transparency logs.
   2. This increases security by providing a public record of all issued certificates that can be monitored for signs of abuse.

Is ACME the Future?

1. Becoming Standard
   1. ACME has become a widely used standard by many certificate authorities beyond Let’s Encrypt, including Google Trust Services, Buypass, and others.
   2. By automating the certificate lifecycle, ACME helps enforce security best practices such as periodic certificate renewal, reducing the likelihood of using expired or compromised certificates.
   3. This automation is particularly beneficial in large environments with numerous domains.
2. Enhanced Features:
   1. The ACME protocol is expected to continue to evolve with new features and enhancements that address new needs in the web security landscape.
   2. This could include better support for IoT devices, tighter integration with cloud platforms, and more flexible challenge methods.
3. Wider Adoption:
   1. Adoption: As more organizations recognize the importance of HTTPS and automated certificate management, ACME adoption is likely to increase, potentially expanding into new areas such as email security (through protocols such as MTA-STS) or code signing.
   2. Community Support:
      1. As ACME becomes more popular, developers have created various add-ons and optimizations to improve it.
      2. These extensions can do extraordinary things, like support new ways of verifying domain ownership or help ACME work more smoothly with different systems.
   3. It’s like customizing ACME to fit specific needs!

In summary, ACME is an essential tool for certificate administrators to manage SSL certificates automatically. It has revolutionized how SSL/TLS certificates are managed, making web security more accessible, automated, and widespread. Its evolution will likely continue to shape the future of cybersecurity. It helps reduce human effort, errors, and costs for the company.