Labels

ACME Protocol (Account Certificate Management Environment)

ACME Protocol

(Account Management Certificate Environment)

Protocol Overview :

Protocol for automating the issuance and domain validation procedure, thereby allowing servers and infrastructural software to obtain certificates without user interaction.  Use of this protocol should radically simplify the deployment of HTTPS and the practicality of PKIX authentication for other protocols based on Transport Layer Security (TLS).

Deployment Model :

The two main roles in ACME are "client" and "server".  The ACME client uses the protocol to request certificate management actions, such as issuance or revocation.  An ACME client may run on a web server, mail server, or some other server system which requires valid TLS certificates.  Or, it may run on a separate server that does not consume the certificate but is authorized to respond to a CA-provided challenge.  The ACME server runs at a certification authority, and responds to client requests, performing the requested actions if the client is authorized.
If the client wants to deploy an HTTPS server using ACME, the experience would be something like this:
  1. The ACME client prompts the operator for the intended domain name(s) that the web server is to stand for.
  2. The ACME client presents the operator with a list of CAs from which it could get a
  3. certificate.  (This list will change over time based on the capabilities of CAs and updates to ACME configuration.)  The ACME client might prompt the operator for payment information at this point.
  4. The operator selects a CA.
  5. In the background, the ACME client contacts the CA and requests that it issue a certificate for the intended domain name(s).
  6. The CA verifies that the client controls the requested domain name(s).
  7. Once the CA is satisfied, the certificate is issued and the ACME client automatically downloads and installs it, potentially notifying the operator via email, SMS, etc.
  8. The ACME client periodically contacts the CA to get updated certificates.
In this way, it would be nearly as easy to deploy with a CA-issued certificate as with a self-signed certificate.  Furthermore, the maintenance of that CA-issued certificate would require minimal manual intervention.

Functions performed by ACME :

  • Account Creation
  • Ordering a Certificate
  • Identifier Authorization
  • Certificate Issuance
  • Certificate Revocation

Labels:
Location: Indore, Madhya Pradesh, India

Comments

Post a Comment