Automatic Certificate Management Environment

from Wikipedia, the free encyclopedia
ACME logo

The Automatic Certificate Management Environment ( ACME ) is a protocol for automatically checking the ownership of an Internet domain and is used to simplify the issuing of digital certificates for TLS encryption. The aim of the environment is to issue the certificates automatically and very inexpensively. It was defined by the Internet Security Research Group (ISRG) for use in the Let's Encrypt service.

The protocol is based on JSON -formatted messages that are exchanged via HTTPS . The protocol was standardized as RFC 8555 in March 2019 .

Versions

ACMEv1

ACME version 1 was released on April 12, 2016. With this version, certificates for single or multiple domains, such as B. https://example.comor https://cluster.example.com, issued. Up to 100 domain names per certificate are supported. Let's Encrypt recommends that users migrate to version 2 as soon as possible, as version 1 will no longer be supported in the foreseeable future.

ACMEv2

In addition to full domain names in certificates, ACME version 2 now also supports wildcard names, such as B. *.example.com. This enables many or changing subdomains, such as B. https://cluster1000.example.comto https://cluster9999.example.com, *.example.comcan be secured using the same wildcard certificate . Please note that host names in subdomains (e.g. www.cluster1234.example.com) or main domain ( example.com) are not covered by the wildcard certificate . These names must appear as an additional entry (Subject Alternative Name) in the certificate or an additional certificate must be issued for them.

In RFC 6125, wildcard certificates are not recommended for security reasons. In many cases, the ability to create certificates online eliminates the need for wildcards.

Individual evidence

  1. a b RFC 8555 - Automatic Certificate Management Environment (ACME). Internet Engineering Task Force (March 2019).
  2. Steven J. Vaughan-Nichols: Securing the web once and for all: The Let's Encrypt Project . ZDNet. April 9, 2015.
  3. a b ietf-wg-acme / acme . github.com. Retrieved January 6, 2017.
  4. Rate Limits - Let's Encrypt In: letsencrypt.org , accessed on March 27, 2018.
  5. ACME Client Implementations - Let's Encrypt In: letsencrypt.org , accessed on March 27, 2018.
  6. ACME v2 API Endpoint Coming January 2018 - Let's Encrypt In: letsencrypt.org , accessed on March 27, 2018.
  7. RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS). Internet Engineering Task Force , p. 31 (March 2011) “ This document states that the wildcard character '*' SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward compatibility with deployed infrastructure) . […] Several security considerations justify tightening the rules: […] ”.