ACME

1. Introduction

MTG Certificate Lifecycle Manager Server includes an implementation of the ACME protocol according to RFC 8555 [RFC8555].

2. Usage

ACME can be used by all clients that are compliant to the RFC 8555 [RFC8555] protocol. For using the ACME service, an ACME client needs the URL of the ACME directory endpoint, where it can obtain all ACME endpoints specified by the RFC. The URL follows the following pattern:

https://[ACME_URL_PREFIX]/[API_VERSION]/directory

ACME_URL_PREFIX: This part specifies the location of the application. It consists of the domain the ACME server is hosted and a URL prefix which offsets the root of the server application. For example, the URL prefix could be "example.com/acme".
API_VERSION: The API version the ACME endpoint has to use. Since currently only the latest version 2 is supported, the value of API_VERSION has to be "v2".

Listing 1 shows a certificate application using the Certbot [certbot] ACME client. The first command shows the creation of an ACME account which authenticates the subsequent communication with the ACME server and the second command executes the actual certificate application for the example domain mydomain.example.com.

Listing 1. Request certificate via certbot

certbot --server https://example.com/acme/v2/directory register \
        --no-eff-email -m test@example.com --agree-tos

certbot --server https://example.com/acme/v2/directory certonly \
        -d mydomain.example.com --standalone

References

[RFC8555] R. Barnes, J. Hoffman-Andrews, D. McCarney & J. Kasten. Automatic Certificate Management Environment (ACME). RFC 8555.
[certbot] certbot.