ACME server overview¶
An ACMEv2 server in CyberArk Certificate Manager - SaaS provides a way for ACME-compatible clients to request certificates by using the ACME protocol. The ACMEv2 server defines how certificate requests are authenticated, evaluated, and issued based on configured applications and issuing templates.
This topic explains how ACMEv2 servers work, including client interaction, certificate lifecycle behavior, and how certificate requests are processed in Certificate Manager - SaaS.
How certificate requests work with ACMEv2 servers¶
This section explains how certificate requests are evaluated and issued when you use an ACMEv2 server.
ACME client interaction model¶
Certificate Manager - SaaS uses ACME with External Account Binding (EAB) for client authentication.
ACME clients that are compatible with EAB, such as Lego or cert-manager, can connect to an ACMEv2 server and submit certificate signing requests (CSRs).
Certificate issuance does not require domain ownership validation. ACME challenge types such as HTTP-01, DNS-01, and TLS-ALPN-01 are not used. Certificates are issued based on the configured application and issuing template.
Certificate lifecycle behavior¶
Certificates issued by an ACMEv2 server are renewed by submitting a new certificate order and CSR. The ACME renewal workflow is not used.
Key type requirements¶
The issuing template controls which key types are allowed for certificate requests.
If your ACME client is configured to use Elliptic Curve (EC) keys, the issuing template must allow EC key types. Certificate requests must use a key type that is permitted by the issuing template.
Certificate validity handling¶
Issuing templates define the allowed certificate validity range.
- If a request specifies a validity period outside the allowed range, the request is rejected.
- If a request does not specify a validity period, the issuing template default validity settings apply.
Private key handling¶
When you use user-generated CSRs, Certificate Manager - SaaS does not enforce private key reuse restrictions. You are responsible for generating and managing private keys according to your security requirements.
Private key reuse enforcement applies only when Certificate Manager - SaaS generates the private key.
Viewing ACME certificate orders¶
You can review certificate orders that are submitted through an ACMEv2 server in the Certificate Manager - SaaS console.
In the console, go to Settings, then select ACME Orders to view submitted orders and their status.