Configure ACMEv2 server connection in Next-Gen Trust Security
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Configure ACMEv2 server connection in Next-Gen Trust Security
Use this procedure to create an ACMEv2 server in Next-Gen Trust Security.
Use Next-Gen Trust Security to create an ACMEv2 server that allows ACME-compatible clients to request certificates by using the ACME protocol.
Before you begin
You need the following before you create an ACMEv2 server:
- A Next-Gen Trust Security account with Integration Administrator permissions.
- At least one configured Application and Issuing Template.
Note: Certificates issued through ACMEv2 servers require user-generated CSRs that are associated with the selected application.
- Optional. A Certificate Tag, if your organization uses tags to categorize certificates.
Important: All ACMEv2 servers use External Account Binding (EAB) for client registration.ACME clients must provide valid EAB credentials, including a Key ID and HMAC key, when creating an account.
Overview
Next-Gen Trust Security supports the Automatic Certificate Management Environment (ACME) protocol as defined in RFC 8555. The ACME protocol enables automated certificate enrollment.
With an ACMEv2 server, you can:
- Create an ACME endpoint for your organization.
- Allow ACME clients that are compatible with EAB to request certificates from Next-Gen Trust Security.
- Issue certificates based on applications and issuing templates so that certificate requests follow defined policies.
For information about how certificate requests are evaluated, issued, and managed when using an ACMEv2 server, see ACME server overview.
Step 1: Create an ACMEv2 server
- Sign in to Next-Gen Trust Security.
- Click Configuration > ACME Servers.
- Select New.
- Enter a Name for the ACMEv2 server.
- Select an Application. For more information, see Create an application.
- Select an Issuing Template. For more information, see Creating issuing templates.
Note: Issuing templates that do not allow CSRs do not appear in the Issuing Template list.
- Optional. Select a Certificate Tag.
- Select Create.
Step 2: Configure the ACMEv2 client connection
After you create the ACMEv2 server, configure your ACME client by using the connection details provided in Next-Gen Trust Security.
Each ACME client has its own configuration process. All clients require the same core values.
- Copy the following values from Next-Gen Trust Security:
- ACME Directory URL. The endpoint the client uses to discover supported ACME operations.
- EAB Key ID (KID). Identifies the External Account Binding key.
- EAB HMAC Key. A shared secret that authenticates account registration.
- Provide these values to your ACME client by following the client documentation.
- In Next-Gen Trust Security, select Done.
Optional: Deactivate an ACMEv2 server
You can deactivate an ACMEv2 server when it is no longer required.
Warning: Deactivating an ACMEv2 server permanently deactivates all associated ACME accounts.
- Sign in to Next-Gen Trust Security.
- Click Configuration > ACME Servers.
- Select the ACMEv2 server that you want to deactivate.
- Select Deactivate.
ACME protocol limitations
The Next-Gen Trust Security ACMEv2 server does not support the following ACME protocol features:
- Automated certificate renewal
- Certificate revocation using POST /revoke-cert
- Key rollover using POST /key-change
- Authorization challenges such as HTTP-01, DNS-01, and TLS-ALPN-01