ACME Server Overview
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from a CA Using EJBCA
- Domain-Based Validation for External Emails
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account on or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
ACME Server Overview
An ACMEv2 server in Next-Gen Trust Security provides a way for ACME-compatible clients to request certificates by using the ACME protocol. The ACMEv2 server defines how certificate requests are authenticated, evaluated, and issued based on configured issuing templates.
This topic explains how ACMEv2 servers work, including client interaction, certificate lifecycle behavior, and how certificate requests are processed in Next-Gen Trust Security.
How Certificate Requests Work with ACMEv2 Servers
This section explains how certificate requests are evaluated and issued when you use an ACMEv2 server.
ACME Client Interaction Model
Next-Gen Trust Security uses ACME with External Account Binding (EAB) for client authentication.
ACME clients that are compatible with EAB, such as Lego or cert-manager, can connect to an ACMEv2 server and submit certificate signing requests (CSRs).
Certificate issuance does not require domain ownership validation. ACME challenge types such as HTTP-01, DNS-01, and TLS-ALPN-01 are not used. Certificates are issued based on the configured issuing template.
Certificate Lifecycle Behavior
Certificates issued by an ACMEv2 server are renewed by submitting a new certificate order and CSR. The ACME renewal workflow is not used.
Key Type Requirements
The issuing template controls which key types are allowed for certificate requests.
If your ACME client is configured to use Elliptic Curve (EC) keys, the issuing template must allow EC key types. Certificate requests must use a key type that is permitted by the issuing template.
Certificate Validity Handling
Issuing templates define the allowed certificate validity range.
- If a request specifies a validity period outside the allowed range, the request is rejected.
- If a request does not specify a validity period, the issuing template default validity settings apply.
Private Key Handling
When you use user-generated CSRs, Next-Gen Trust Security does not enforce private key reuse restrictions. You are responsible for generating and managing private keys according to your security requirements.
Private key reuse enforcement applies only when Next-Gen Trust Security generates the private key.
Viewing ACME Certificate Orders
You can review certificate orders that are submitted through an ACMEv2 server in the Next-Gen Trust Security console.
In the console, go to System Settings, then select ACME Orders to view submitted orders and their status.