ACME integration with TLS Protect

Automatic Certificate Management Environment, usually referred to as ACME, is a simple client/server protocol based on HTTP. The client represents the applicant for a certificate (e.g., a web server operator), and the server (Trust Protection Platform) represents the CA. ACME enables TLS Protect to verify that the applicant owns some number of domains, and then enables the applicant to request certificates for those domains.

IMPORTANT  Venafi's implementation of the ACME protocol was designed and tested for use with the following clients: certbot and win-acme. If you're using a different client, you might encounter limitations. For example, your alternate ACME client might use portions of the ACME protocol that aren't supported by Venafi's integration with the certbot and win-acme clients.

To learn more about certbot, visit https://datatracker.ietf.org/wg/acme/about/.

To learn more about win-acme, visit https://www.win-acme.com/manual/getting-started.

About the ACME protocol

The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' web servers, allowing the automated deployment of public key infrastructure at very low cost. It was designed by the Internet Security Research Group (ISRG).

Venafi Trust Protection Platform supports some features from both the ACME v1 and v2 protocols.

ACME v1 supports issuing certificates for fully-qualified domains, but does not support issuing wildcard certificates.

ACME v2 is not backwards-compatible with ACME v1. The version 2 specification details support for wildcard domains, allowing for multiple subdomains to be covered by a single TLS certificate (support for this feature is slated for a future Venafi Platform release).

To learn more, visit https://letsencrypt.org/docs/acme-protocol-updates/ and https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment.

About Venafi Support for ACME v2

In this release of Venafi Platform, we support the following:

  • http-01 and dns-01 challenges

  • DNS TXT verification of domain control

  • Wildcard certificate issuance

  • All requited (MUST / REQUIRED / SHALL) components of the ACME v2 specification (RFC8555)

  • Certificate enrollment with multiple domains

  • Elliptic curve key algorithm for account or certificate

  • Account deactivation

  • Certificate revocation through ACME.

This release does not support:

  • KeyChange endpoint

About using the win-acme client

A windows-native ACMEv2 client that is supported by TLS Protect is win-acme, which is a client that is simple, making it easy to start with, but it is also powerful enough for almost any use case. Lear more about it at https://www.win-acme.com.

You can use the win-acme client, but please be aware of the following limitations:

  • Your Venafi server cluster must use a supported Windows operating system. For win-acme, you must be using Windows Server 2016 or later.

  • FIPS compliance should NOT be enabled on the Venafi server.

  • In the win-acme settings JSON file, the DefaultBaseUri field should be set to the TLS Protect ACME server using this pattern:
    https://<server_url>/vacme/v2/<tpp_sub_folder>/.

  • The win-acme client only supports revocation for the reason Unspecified.

  • The win-acme client sends revocation requests to TLS Protect using the account key.