Automatic Certificate Management Environment (ACME) refers to a communication protocol that is still being worked on by the IETF ACME working group and whose objective is to automate the interactions between Certificate Authorities (CAs) and users (Hotspotshield, 2017). The protocol facilitates the automatic deployment of important public infrastructure for security and authentication at a relatively lower cost compared to the manual process. The operation of this communication protocol has its basis in the passing of information over HTTPS utilizing JSON (Hotspotshield, 2017). Over the years, the IETF has been able to standardize this protocol. This has seen increased availability of ACME applications which can be downloaded for free. Additionally, a number of web servers have already incorporated ACME as a standardized function (Barnes, 2015).
Barnes (2015) describes ACME as a simple client-server protocol that has its basis in HTTP. In this protocol, the applicant for a certificate is represented by the client while the CA is represented by the server. The main objective of ACME is to make sure that the CA is able to confirm that the applicant owns a certain number of domains and to allow for the applicant to ask for certificates of the said domains (Barnes, 2015). To make it possible for the CA to confirm that an applicant owns a given domain name, ACME utilizes an extensible set of challenges. The challenges are issued by the CA once an applicant requests authorization of a domain. The challenges are set in such a way that only the right domain owners are able to overcome them. The challenges include providing a certificate for a HTTPS virtual host, providing a file to a directory controlled by an administrator on a web server and providing a DNS record. The applicant has to choose one challenge after which the CA receives a notification (Barnes, 2015). Upon being notified, the CA has to confirm that the challenge has been solved. One way of verifying this is by making a DNS or HTTP query to fetch an already provisioned record. The CA realizes that a domain owner has authorized an applicant to act on their behalf only if the expected value was provisioned (Barnes, 2015).
Delegate your assignment to our experts and they will do the rest.
Barnes, Hoffman-Andrews, and Kasten (2016) point out that under the ACME, the server is meant to speak for one or more domains, with the certificate issuance process being meant to confirm that the server actually speaks on behalf of the domain or domains. The challenge process is used to verify that an applicant has the actual control of a domain as opposed to being the owner of the domain. This means that a web hosting provider, for instance, can utilize these techniques to obtain certificates for a customer’s domain. After it has been established that a client possesses a set of domains, the next step that follows is the creation of a Certificate Signing Request. This showcases the public key as well as the certificates that a domain should have (Barnes, 2015). A CA responds to this request by issuing the certificate. The main idea behind the protocol is that deploying with a CA-issued certificate is similarly easy as a self-signed certificate and that once an operator facilitates this, the entire process becomes self-sustaining requiring very little manual intervention (Barnes, Hoffman-Andrews, and Kasten, 2016). The protocol is characterized by separation of certificate issuance from authorization. This means that it is quite easier for an applicant who has numerous domains to mix and match the names in the different certificates (Barnes, 2015). Barnes (2015) gives an example of a web hosting provider with 20 domains bundled to a server. He states that such as applicant can carry out one authorization transaction for every single domain after which they will allocate the domains to server certificates in any possible manner that will be logical for the deployment environment.
References
Barnes, R. (2015). ACME: Better Security through Automation . Retrieved from https://www.internetsociety.org/publications/ietf-journal-november-2015/acme-security-automation
Barnes, R., Hoffman-Andrews, J and Kasten, J.(2016). Automatic Certificate Management Environment (ACME) draft-ietf-acme-acme-04 . Retrieved from https://tools.ietf.org/html/draft-ietf-acme-acme-04
Hotspotshield. (2017). Automated Certificate Management Environment - Definition from the Hotspot Shield Glossary . Retrieved from https://www.hotspotshield.com/glossary/automated-certificate-management-environment/
